BioAPI and networks

Thomas Charron twaffle at gmail.com
Thu Feb 1 10:48:50 EST 2007 

On 2/1/07, Bill McGonigle <bill at bfccomputing.com> wrote:
>
> On Jan 31, 2007, at 12:26, Thomas Charron wrote:
>
> >  What I'd LIKE to be able to do is have Samba or some other
> > authentication
> > server for network based authentication without having to individually
> > enroll fingerprints to each Windows laptop, as well as enroll them
> > under
> > Linux.
> >
> >  Anyone have any experience with this?
>
> I looked into this enough to decide not to do it.  It's not
> impossible, just too hard to be worthwhile.
>
> Rarely does anybody store an image of a fingerprint and do an image
> comparison for authentication.  They do feature extraction, and then
> a fuzzy match.  You tune the fuzzy match for your preferred false
> positive/false negative rate.  Most vendors have their own algorithm,
> so interop is hard (at least a few years ago).  That part killed it
> for my project.


  In my case, we're all using the same readers, so I think it's a bit easier
for me.


> Feature extraction is also good for privacy concerns.
>
> >  Looking into it more later on tonight.  Just too addicted to a simply
> > finger-swipe to authenticate locally.
>
> Remember, any good authentication system consists of two of the
> factors: (something you have, something you know, something you
> are).  Single-factor authentication is typically easily defeated.
>
> For instance, if you have a laptop with a fingerprint reader, odds
> are pretty good somebody can create a false finger from another print
> on the case for about $10 (cost, not what the 'recover' expert will
> charge you).  The easy technique uses fingerprint dust, a digital
> camera, photoresist etching on a pcb blank, and some gelatin.
>
> A fingerprint with a PIN is much much better.  If you have a 5-digit
> PIN and a 4-strikes-and-you're-out password policy, the odds are only
> 1 in 2500 that someone with the above gear can get into the computer.
>
> Assuming you've got hardware support and can't pull the drive, but
> that's a different thread.
>

  Unfortunately, I may have to fall back to just using plain old passwords,
becouse I can't really find much information on doing ANYTHING beyond local
authentication.  One option was to have a method for the local system to
pull the authentication information from the network, (it can be dumped from
the reader to a file easily), and 'reimport' them, so each machine would
have identical bio enrollments.  This DOESN'T, however, get me anywhere near
my single sign-on with a fingerprint.  Still looking around here and there
between breaths.

-- 
-- Thomas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.gnhlug.org/mailman/private/gnhlug-discuss/attachments/20070201/b74549e4/attachment.html

More information about the gnhlug-discuss mailing list