BioAPI and networks

Bill McGonigle bill at bfccomputing.com
Thu Feb 1 10:24:05 EST 2007 

On Jan 31, 2007, at 12:26, Thomas Charron wrote:

>  What I'd LIKE to be able to do is have Samba or some other  
> authentication
> server for network based authentication without having to individually
> enroll fingerprints to each Windows laptop, as well as enroll them  
> under
> Linux.
>
>  Anyone have any experience with this?

I looked into this enough to decide not to do it.  It's not  
impossible, just too hard to be worthwhile.

Rarely does anybody store an image of a fingerprint and do an image  
comparison for authentication.  They do feature extraction, and then  
a fuzzy match.  You tune the fuzzy match for your preferred false  
positive/false negative rate.  Most vendors have their own algorithm,  
so interop is hard (at least a few years ago).  That part killed it  
for my project.

Feature extraction is also good for privacy concerns.

>  Looking into it more later on tonight.  Just too addicted to a simply
> finger-swipe to authenticate locally.

Remember, any good authentication system consists of two of the  
factors: (something you have, something you know, something you  
are).  Single-factor authentication is typically easily defeated.

For instance, if you have a laptop with a fingerprint reader, odds  
are pretty good somebody can create a false finger from another print  
on the case for about $10 (cost, not what the 'recover' expert will  
charge you).  The easy technique uses fingerprint dust, a digital  
camera, photoresist etching on a pcb blank, and some gelatin.

A fingerprint with a PIN is much much better.  If you have a 5-digit  
PIN and a 4-strikes-and-you're-out password policy, the odds are only  
1 in 2500 that someone with the above gear can get into the computer.

Assuming you've got hardware support and can't pull the drive, but  
that's a different thread.

-Bill

-----
Bill McGonigle, Owner           Work: 603.448.4440
BFC Computing, LLC              Home: 603.448.1668
bill at bfccomputing.com           Cell: 603.252.2606
http://www.bfccomputing.com/    Page: 603.442.1833
Blog: http://blog.bfccomputing.com/
VCard: http://bfccomputing.com/vcard/bill.vcf

More information about the gnhlug-discuss mailing list