A word of warning first: biometrics is all sexy and hawt and touted as the final security solution. Unfortunately, it's not. Perhaps you recall when grocery stores started using fingerprint scanners, and people couldn't get into this new unproven system quickly enough. Why is it they will not trust a lawyer's or accountant's advice, but will blindly trust a retail store with their fingerprints? I remember when Thriftway rolled this out in Seattle some years ago; the Seattle P-I tells the tale:
"The main thing is, it's fast, it's easy, and it's secure," says Paul Kapioski, West Seattle Thriftway owner."..."It takes about one minute to enroll,"...Employees underwent 15 or 20 minutes of training in the system this week."This could be made into a party game--how many holes can you poke in this "security" scheme in 30 seconds? Ready? Start:
- How hard do they work to verify identity when customers sign up the first time?
- It's easy to forge a fingerprint
- Once it's compromised, how many more fingers can you grow?
- What sort of ninjas are storing and protecting the scans?
- Overworked, underpaid, undertrained retail clerks are just the people you want on the security front lines
- The bad guys will cut off your fingers
$ tar zxvf thinkfinger-0.3.tar.gz
Then run these commands to compile and install it:
$ ./configure --with-securedir=/lib/security \ --with-birdir=/etc/pam_thinkfinger $ make # make install # modprobe uinputNow you can test it. Run this command:
# tf-tool --acquire [...] Please swipe your finger (successful swipes 0/3, failed swipes: 0)...
Snug your finger into the little indent above the scanner, and slowly draw your finger across the scanner. You need three successful scans. The scan will be stored in /tmp/test.bir. Now you can test it- run this command, and swipe your finger, again slowly:
# tf-tool --verify Result: Fingerprint does match
# mkdir /etc/pam_thinkfinger # tf-tool --add-user carla ThinkFinger 0.3 (http://thinkfinger.sourceforge.net/) Copyright (C) 2006, 2007 Timo HoenigConfiguring PAM is always a heap o' fun. On Debian, the Buntu family, and most Linuxes, add these lines to /etc/pam.d/common_auth before any other pam_unix lines:
Initializing... done. Please swipe your finger (successful swipes 3/3, failed swipes: 6)... done. Storing data (/etc/pam_thinkfinger/carla.bir)... done.
auth sufficient pam_thinkfinger.so auth required pam_unix.so try_first_passFor Fedora, PCLinuxOS, and the rest of the Red Hat extended family, add them to /etc/pam.d/system-auth. SUSE goes its own way entirely. Add uinput to /etc/modules, or whatever your system needs to load modules at boot, and reboot.
Now what happens? My T61 runs PCLinuxOS, and the graphical login manager has absolutely no clue about fingerprint readers. kdesu doesn't know what to do with it, either. So I can't login to a graphical session with my fingerprint. However, at the console prompt I got this:
PCLinuxOS release 2007 for i586 Kernel 22.214.171.124.tex1 on a Dual-processor i686 /tty4 ripley login: carla Password or swipe finger:
Hurrah! And it worked. It's still a baby and has lot of growing up to do, so please visit Resources for more help and updates. ThinkFinger needs more PAM modules to make it work with different types of authentication and applications, so if you're looking for a FOSS project to support that would be a good one.
- How to enable the fingerprint reader with ThinkFinger links to a video tutorial for forging fingerprints
- Install ThinkFinger on Ubuntu
- Bug 116682: Support fingerprint reader login in kdm