FingerprintAuthentication

Summary

Users should be able to use Fingerprint readers for authenticating themselves, using the BioAPI framework, for example for login or sudo. When not being used for login or sudo functions, the fingerprint reader should send scroll signals.

Status of Implementation

A BioAPI library implementation is available from Michael R. Crusoe's homepage, which also has a BioAPI PAM module.

The UPEK TouchChip (shipped with ThinkPads) offers a binary kernel module.

Gerard Klaver is working on a driver for Authentec fingerprint readers, see his page. When Authentec was contacted in January of 2006, they also stated that they were working on a linux driver, to be released within six months.

  • I contacted them too, after I read this page and because I will buy a Lenovo 3000 N100 soon. They told me "Authentec does not have a generally available Linux SDK at this time. Full support of Linux will be addressed in a future 2007 release." - I also looking forward to this, and its including into Ubuntu. If I can help somehow, for example testing sth. on my laptop, documenting sth. - then feel free to contact me! PS: Is there a launchpad group/project already for this?

Thanks to Andreas Grotz, the Authentec 2501 now has a working GPL driver that I could use to capture my fingerprint, see this. It would be great if this could be integrated in Edgy+1.

Clemens Schulz is also working on a driver, that was/will be(?) available here. See also this blog entry by Reinhard Tartler.

There is a project on gna working on the aes2501 here.

What about fprint? it already handles various fingerprint sensors and supports identification. Also, it seems easier than bioapi.

Status of Distribution Support

Debian packages for the BioAPI library are available from Michael R. Crusoe's homepage. The PAM module and the TouchChip drivers have not been packaged yet, various pages (ThinkWiki, linux.spiney.org) provide information on additional setup steps.

Plan of Action

I just finished creating Ubuntu packages for pam-bioapi and the upek BSP (Biometric Service Provider). They work with the bioapi 1.2.3 debian package from upstream. This is how I'd like to proceed for this:

Tasks:

  • build packages for bioapi (lots of patchwork expected)
  • upload working pam-bioapi and bioapi-bsp-upek packages
  • ask people to create bioapi-bsp-authentec package
  • be happy, dance in a circle
  • start documenting/fixing the rough edges
  • port the free thinkfinger driver to the bioapi interface to become a free drop-in replacement for the commercial driver

Potential security risks

As Ubuntu should provide a secure user experience, it show inform users about the potential risks of using a finger print:

  • Passwords are stored in your head - your finger print is stored on every surface you touched...
  • It is known, that finger print readers can be easily tricked, with faked finger prints, that were taken from surfaces.
  • Passwords can be changed - finger prints *not*

So finger prints should not be used on machines, that should be protected against illegal access. (Since the finger print is normally "stored" all over the keyboard).

US Export Rules

US Export Rules might come into play here. Basically, some parts might not be exportable from the United States. Read more at http://www.reactivated.net/weblog/archives/2006/10/fingerprinting-legal-issues-update/


CategorySpec

FingerprintAuthentication (last edited 2009-11-07 03:59:16 by jjardon)