Fingerprint authentication

Fingerprint authentication is not currently delivered in any mainstream hardware enablement projects. At initial writing this page outlines the possibilities for enabling it.

The most suitable fingerprint auth software packages are around the fprint project - the only open source actively developed code with fairly wide hardware support. However, even development of fprint is not very active.

There is also the fingerprint-GUI project, which includes closed source drivers to enable a few more devices including all UPEK devices. It is less well integrated with gnome and something of a hobby project.

fprint

• the fprint packages in natty are very out of date and do not work. The device isn't recognized

• oneiric has more up to date libraries but still only offers the deprecated libpam-fprint rather than libpam-fprintd.

• ppa:fingerprint/fprint has appropriate packages for a trouble-free installation. Obviously great care would be needed before integrating this code into a commercial install. The Oneiric packages are the same as Natty in this PPA - at time of writing oneiric isn't stable enough to test.
• The code is of unknown quality and would warrant a security audit before issuing it in a customer release.

Usage

With packages libfprint0 libpam-fprintd gksu-polkit, fingerprint auth is quite straightforward:

• In "About Me" select "Enable Fingerprint Login"
• Follow the prompt to train the system with your fingerprint with 5 swipes (seems to take 6; a little unpolished)

That's it. Login, screen unlock, sudo authentication will now prompt for the fingerprint reader, but gksu operation will silently wait for a finger swipe.

Limitations/bugs

PAM is single threaded - hard to drop down to password auth

PAM can only perform one authentication method at a time. There is no direct way at the login or screen lock screen etc. to bypass fingerprint auth and use a password. The easiest way is to swipe the wrong finger repeatedly. Allegedly "Fedora 12 has enhanced the GDM login screen with a button that switches between password and fingerprint authentication mode"

Passwords are required for keyrings, ecryptfs to work

You can't unlock a keyring or an encrypted filesystem without a password. Selectively disabling fingerprint auth for first login would be desirable and should be fairly easy, but isn't supported out of the box in the packages.

gksu silently expects a finger swipe

gksu needs to be replaced with gksu-polkit to behave properly. At present it does not offer an indication that a swype is expected, except for at least some hardware, the light on the reader illuminates.

fprint Supported Hardware

     045e:00bb        05ba:0007        08ff:2580
     045e:00bc        05ba:0008        08ff:5501
     045e:00bd        05ba:000a        1162:0300
     045e:00ca        061a:0110        138a:0001
     0483:2015        08ff:1600        147e:1000
     0483:2016        08ff:2500        147e:2016

Fingerprint GUI

Brings support for more hardware, and a few additional features, but is much less well integrated for setup.

The framework's code is GPL v3, but to support additional hardware it makes use of UPEK's closed source / binary blob libraries (BSAPI). The license agreement with that library is attached

Supported Hardware

in addition to the fprint supported devices:

     0483:2015        147e:1002        147e:3000
     0483:2016        147e:1003        147e:3001
     147e:1000        147e:2015        147e:5002
     147e:1001        147e:2016        147e:5003

Legal Issues

Data protection laws in the EU do not seem to apply here. The laws surround collecting and transmitting data by officials without consent. The data is collected with consent and not shared outside the system. Could be an issue if the home directory is on another system.

links

• ThinkWiki on enabling fingerprint reader

• fprint home page

• About Fingerprint GUI project

• team packaging fingerprint reader options - has useful information and PPAs for both fprint and Fingerprint GUI.