Fingerprint Recognition with Linux & IBM's T42

Michael R. Crusoe writes "UPEK, provider of popular fingerprint sensors to IBM's T42 notebooks and others, has announced that they will be providing a BioAPI compliant library to perform biometric authentication under GNU/Linux. Will Linux be the first operating system to have integrated biometric user authentication 'out of the box'?"

Ahem, PAM

[nokilli]

I don't understand this. Isn't writing to PAM all you need to do to support authentication on Linux?

They're talking about writing this whole framework for Linux called BioAPI, and then once that's done they're going to work on a BioAPI-to-PAM gateway, but that seems like way too much work.

Why can't an authentication module simply maintain its own database to register the biometric data associated with each user?

The way it is now, pam_unix.so does a one-way hash of the password you create and compares it with a one-way hash of whatever password you enter to log on, right? The password once stored is never stored in the clear.

I get the fact that you can't do that with biometric data because the data never is exactly the same, i.e., the one-way hash of the fingerprint you use to create the account won't be the same as the one-way hash created as you log on. And to do the comparison otherwise you'd need to load the data into memory, which is like loading a password, which is bad.

This is a really tricky problem.

I just don't see why we need a new framework. Seems to me, we need a new kind of hash function.

Why can't that go into pam_finger.so?

Re:Ahem, PAM

[Libor Vanek]

Less lock in, since when the next generation of PAM killer comes along, the switch will be much easier.

That's stupid. There is nothing like "PAM killer" on the horizont in next 1-2 years! And there is no need for it - AFAIK PAM architecture is very clever and there are none "system design limitations" (but I'm NOT PAM expert - if I'm wrong, please correct me!)

Better portability to systems that don't use PAM. QNx, ReactOS, Windows, MacOS the world is a big place...

AFAIK MacOS is using PAM (or not?). And writing new API means that you've to transfer (and integrate it into existing) Windows/QNX... OS. The effort is much bigger then having "proprietary" library and just port it to Windows native login API/Linux PAM/...

More uses for the software. Maybe you can use this fingerprinter together with a Firefox plugin to slightly increse the security of your bank transactions?

WRONG! Just make FireFox PAM plugin and voila - you can use your "PIN pad" (if it has PAM plugin), fingerprint/face/voice/DNA/... recognition (just by having PAM plugin for this) out of box!

That wouldn't be a first

[JohnnyNoSPAM]

Linux frequently supports a lot of hardware out of the box. Some folks argue that there is better hardware support for Windows. And that is true in and of itself. However, how often when installing a Windows operating system do yo need a load of driver CDs to accompany the installation? In my experience: always, especially if there is additional hardware such as a printer. Linux, on the other, is frequently distributed with drivers for suppoorted hardware out of the box. What's better is that as Linux grows in popularity, so will the hardware support.

Anyone on breaking the biometric authentication?

[SpaghettiPattern]

Anyone on breaking the biometric authentication?

• Chopping off finger.
• Finger print out or finger skin resembling synthetic material.
• Looks easier that guessing passwds.
• How long before finger print kits appear in my Gmail->spam box?

So big brother will run on Linux...

[james_gnz]

I am reminded that when I was reading Stallman's The Right To Read [gnu.org] (linked from the recent Slashdot story Old-Fashioned DRM Protects Harry Potter Book [slashdot.org]), I wondered why it didn't include biometrics. That would have prevented the happy ending.

Having biometrics on my computer with a free / open source OS wouldn't be scary like having biometrics on my computer with a closed OS and hardware DRM, of course.

For public / institutional networks though, I can't help but wonder where it's going. But on the plus side, at least if big brother runs on Linux I won't worry so much about script kiddies stealing my identity.

Password renewal

[CaxDot]

How on earth do I change my login data once it has been compromised? How do I randomly regrow a new fingerprint? Or retina?

Re:Ahem, PAM

[nathanh]

Yes it can.

I do it. (well more accurately I've done it. Having Openssh take care of it is better, IMO)

Silly person.

No, you just don't understand what is being discussed here.

auth required pam_nologin.so
auth sufficient pam_krb5.so forwardable
#auth sufficient pam_ldap.so
auth sufficient pam_unix.so shadow use_first_pass
auth required pam_deny.so

That is not Kerberos Single Sign On. Read the man page for sshd_config, in particular the section on GSSAPI authentication.

Digital Persona Support

[sonixtwo]

I have had a Digital Persona Biometric Fingerprint scanner that I have been trying to get working for ages now. It works great in Windows, but I havent yet found a program to get it to actually perform in Linux. It is USB, and does get identified by hotplug. Digital Persona does provide an SDK for their devices. My opinion is Biometric authentication will be a pretty regular standard in the future.