Idea
#2: Fingerprint readers integration
|
|
This idea was marked as being in development the 18 August 08.
|
|
| |
1189
|
|
|
Written by stgraber the 28 Feb 08 at 12:13.
Category: System.
Related to:
Nothing/Others.
Status: In development
|
|
|
Description
Most business laptops and some of the end user ones too now include a fingerprint reader.
Those are perfectly possible to use on Linux either by using thinkfinger (IBM/Lenovo) or fprint (HP).
The various PAM modules for those should be installed by default or at least be easily installable and integrate correctly in the default desktop.
GDM, gksudo and the gnome screensaver would have to be modified in order to correctly support fingerprint readers.
That way the user would be able to login either by entering is password as usual or using his fingerprint.
Attachments
 Bug #138957 : (gutsy) lock screen doesn't support fingerprint readers driven by thinkfinger
|
|
Duplicates
Comments
 stgraber (Brainstorm admin) wrote on the 28 Feb 08 at 15:49
|
right, I filed this bug myself and did the packaging for Hardy.
Though the packages entered Debian's new while I was doing the packaging for Ubuntu. I then hoped to see Debian's one soon enough to just sync them but it was too late :(
So we'll have fprint in Intrepid for sure, now let's hope we'll have PAM and gnome integration for those tools too.
|
|
rainforest12 wrote on the 28 Feb 08 at 15:59
| |
yay, perhaps this is finally possible with the new gdm?
|
|
stgraber (Brainstorm admin) wrote on the 28 Feb 08 at 17:16
|
Last I checked, with fprint it just hangs waiting for a fingerprint.
Then once it detected the fingerprint it displays the "Please use your fingerprint reader" message.
There is no way to enter the password instead of the fingerprint, you basically have to give it a wrong fingerprint to have it asks for the password.
|
|
jjongsma wrote on the 28 Feb 08 at 17:45
| |
Smartcards also. I imagine it requires many of the same changes to GDM, etc - replacing either the username or password prompt with a separate device input.
|
|
gaboo wrote on the 28 Feb 08 at 20:36
|
Would be awesome !
Please don't forget kubuntu integration too :)
|
|
Jstone wrote on the 29 Feb 08 at 00:30
| |
gnome-keyring needs to be modified, too. It doesn't use PAM, so it won't accept fingerprint input.
|
|
in4mer wrote on the 29 Feb 08 at 02:16
|
It bears repeating that the judicial system has up 'til now regarded compulsory passphrase discovery as self-incrimination, and therefore illegal. However, the judiciary has also made it clear up to this point that compulsory furnishing of biometric identification in order to reveal hidden or encrypted data to NOT be self-incriminatory, and therefore not protected.
tl;dr if this is done, pls give an option of biometric AND passphrase for authentication.
thx.
|
|
johnpro wrote on the 29 Feb 08 at 02:57
| |
If you have a thinkpad laptop you just need to install thinkfinger. If you don't have a thinkpad laptop then I am sorry but I can't help you.
|
|
jldugger wrote on the 29 Feb 08 at 05:56
|
Scott Remnant is working on bringing thinkfinger into main for hardy. Despite the name, it supports many laptops with a specific set of UPEK fingerprint readers. It works with my Toshiba laptop, and presumably will work with Dell laptops in the future.
Thinkfinger itself is dying out and will slowly be replaced by fprint as it improves. As for default configurations, it's a very tricky business. Some people want secure by default (ie biometric and passphrase authentication) and others want to substitute print scans for passwords entirely.
However, you can't easily encrypt data with thinkfinger, for the same reasons you can't unlock the WEP/WPA passwords NetworkManager stores in gnome-keyring.
|
|
keybuk (Brainstorm admin) wrote on the 29 Feb 08 at 12:04
| |
Actually, I'm looking at both thinkfinger and fprint
|
|
rawsausage wrote on the 29 Feb 08 at 22:28
|
I am seriously against this idea because 90%+ of these fingerprint readers are exploitable and hackable. They give false sense of security to their users and are plainright dangerous in case of someone really believing that they can not be fooled.
|
|
spiderpig wrote on the 1 Mar 08 at 09:39
| |
rawsausage is right: It is moronic to believe that a fingerprint reader in a device that has your fingerprints all over it can protect you.
|
|
Miyamoto wrote on the 1 Mar 08 at 20:08
|
I'd like to voice against the inclusion of a fingerprint authentication into the standard distro.
Rationale: As Starbug from Chaos Computer Club, Berlin, Germany outlined in detail on the yearly Chaos Cummunication Congress in 2006 and 2007 there is currently NO safe fingerprint reader device - ALL of them can be exploited easily if you know how. One needs a little tinkering and a few thing from your local hardware store...
A few links:
An article regarding fingerprint sensors in the supermarket
http://www.ccc.de/updates/2007/umsonst-im-supermarkt?language=en
Video-Tutorial - howto forge a fingerprint
ftp://ftp.ccc.de/pub/video/Fingerabdruck_Hack/fingerabdruck.mpg?language=en
|
|
ethana2 wrote on the 2 Mar 08 at 06:56
|
We need a graphical frontend for PAM. Eventually, the following methods should be implemented:
recognition of--
fingerprint
face (flip open the laptop, hit a button, smile, log in)
voice
signature
retina (far off, but when we get there, well, just add it)
and of course, the mainstay of security:
password
(and the power button...)
These need to be able to be used in any permutation.
|
|
hspaans wrote on the 2 Mar 08 at 18:46
| |
Why authenticate with something that you leave on every desk, cup, door? Say anything you touch?
|
|
stylewarz wrote on the 4 Mar 08 at 14:39
|
First, because it's slick. Second, because it's faster. Third, because with a thermal fingerprint scanner it's harder to make a copie of a fingerprint.
I'm using Kubuntu on my Dell XPS M1330. Fingerprint works for login and console. But in KDM it does not show that you should swipe the finger and you have to go to the username, press enter an then the fingerprint works. So it's kind of a hassle at the moment.. KDM Fix would be nice. Under GDM it works fine
|
|
deejross wrote on the 4 Mar 08 at 18:46
| |
I'm on the fence about this one. Fingerprint identification is slick and useful, but only when physical security is high. It takes an hour or two to copy someone's fingerprints. It could take hundreds of years to crack a good password. Therefore, if fingerprint security is allowed, it should be made clear to the user that it is still better to use passwords instead.
|
|
centx wrote on the 4 Mar 08 at 23:57
|
+1 for ethana2.
Develop for the future i say. Include it by default, and have passphrase + print by default, and make it easy to disable the passphrase.
This way users has only themselves to blame if all goes /b/
|
|
konig12 wrote on the 5 Mar 08 at 06:04
|
In response to concerns about security of fingerprints, I for one am not concerned with security of my machine at the local level. I know the people that would have access to the computer, and I trust them not to go out of their way to forge a print. In this kind of case, the fingerprint functionality makes a lot of sense.
If you want to disable the feature by default, that is fine with me. Give a warning about these concerns even, but the problem that needs to be addressed is that currently it is not possible to use these scanners without bugging out other programs (ie. gksu).
|
|
efernandespt wrote on the 10 Mar 08 at 17:27
| |
Yeah! I have a U. Are U. and cannot use it with my Ubuntu
|
|
Eldmannen wrote on the 12 Mar 08 at 23:21
| |
Please not only fingerprint, but also voice, eye, smart card, etc.
|
|
ariendj wrote on the 16 Mar 08 at 01:01
|
Biometrics = The Emperor Wears No Clothes
Biometric scanning will give any n00b the idea that his machine is super-safe (it's tech from a sci-fi movie after all and it worked fine there), when in fact the very opposite is true.
rawsausage, spiderpig and hspaans made the point quite clear that fingerprint reading is a moronic idea. If you like low security, go the autologin route. At least you'll know for sure that your machine is a free for all without a false sense of security.
Thermal fingerprint scanners are just as useless as any other form.
Check out the fine links Miyamoto put up there. Essential info IMHO.
Eyescanning or a voice-print make no sense at all from a security standpoint either. Way too complex and therefore way too easy to beat.
Smartcards however deserve support.
|
|
ay wrote on the 20 Mar 08 at 05:30
|
I like the fingerprint reader. My take on it is this: if you want to log in remotely (via ssh) then you'll need your public key in my authorized_keys or maybe a password. If you already have physical access to my laptop, then all bets are off and defeating the fingerprint is only going to slow you a tiny bit (you can just remove the hard disk, etc). Since I don't care about what happens once you have physical access to the laptop, I prefer to have the convenience of the fingerprint reader as well as the option of using it when someone is sitting next to me on the train and watching me type passwords.
What I'd like to see is better integration: right now I still have to type my name, but I'd like to just swipe my finger, have the appropriate thing in pam, via, thinkfinger, figure out if it matches a registered user, and go from there (this is the behavior in Windows, I have heard). Currently, you type your name, then swipe your finger for the password. The thinkfinger site says that they're working on this for the future, which is great.
|
|
Eldmannen wrote on the 20 Apr 08 at 20:55
| |
Yeah, this is cool, I saw it in movies! :D
|
|
emilpavlov wrote on the 1 May 08 at 08:59
| |
Some of you confuse what this idea is about. I also think that fingerprints are more insecure than passwords, but that is not the point. To get your fingerprint working you have to struggle for more than an hour. I don't think that Linux for human beings should ensure user security in this way. Instead, it should have full support for fingerprint readers and they should be easily activated after the risks are explained to the user.
|
Post your comment
|
|
|
Blueprint fingerprint-authentication:
