Hi all!
I'm working on a project where I use fingerprints for authentication on the internet instead of passwords. This is what happens: Someone accesses my web-site. To log on they put their finger on a fingerprint-pad and then some pre-installed software sends the whole fingerprint to my server for authentication. The transmission is encrypted using PKI. If OK, they gain access to an extranet.

Many applications use biometrics for authentication, but I think mine's a little different. Other apps map the fingerprint against a password on the client, and then sends the password for authentication on the server. But I use a sentralized database of fingerprints.

What I need to know is if there are other solutions similar to mine that you know about. I've searched the net and haven't found anything (just the apps that map to passwords). Perhaps some of you can help me out? Thanks!

Just out of curiousity, how big is of a file is a fingerprint. If I remember correctly, they can be quite large if you want a lot of detail (which is required for good security). I am not sure if my shared 56k modem could handle logging on to your system. That is why most companies send an encrypted password derived from the fingerprint, instead of the fingerprint itself.

Proactive,

I don't know if you are interested in the commercial side of things, but I believe that SecuIT, a Korean company does something similar. They are specialized in biometrics applications. You can find them on the web at:

SecuIT (http://www.secuit.com)

Cheers,

BrainStop

I have a only few interesting links you can try out, its mainly about authentication against your local workstation from a server and a link to a developer site (huge amount of different information and links). Hope you'll find something of interest?

SAF link (http://www.saflink.com/)
Alphabetical List of Security Developer's Kits (http://www.timberlinetechnologies.com/products/devkit.html)
Alphabetical List of Biometric Authentication Products (http://www.timberlinetechnologies.com/products/biometric.html)

The fingerprints are about 60 KB. There are a number of reasons why most companies send passwords instead of fingerprints. As you can imagine comparing pictures in a database will slow it down if there are a high number of different pictures. Also there are legal issues, am I allowed to store other peoples fingerprints? A fingerprint is a very personal thing, much like a social security number or other identification. And you only got 10 fingerprints, so what if I loose one of your fingerprints. You only got 9 left. But these issues are not the scope of my project. :) If only I can make a solution that works, I'll be more than happy!

BTW, the equipment I'm using can be found on www.precisebiometrics.com. They deliver the fingerprint-pad and an SDK for developers.

Your best bet is not to start worrying too much about legality at this stage. If all developers thought about the full legal aspects during the development phase, I think we still would be in the iron age.

I would think that anyone who wants access to your site willingly gives you a copy of their fingerprints. Thus, you obtained the information legally. If you want more protection, make them sign a statement that they have given you this information for identification purposes from their own free will.

Also ... avoid selling the information ;)

Cheers,

BrainStop

Thanks for the links (now I got some reading to do) and taking interest in my project!

sounds really interesting. Let us know how it turns out.

Biometrics is kind of cool, but there is only one prob. It would never work for web authentication because it requires everyone wanting to use it to have a fingerprint scanner. Which can be very expensive and will definately not happen in the near future. It does have some pretty good uses though. Like physical security access.

BTW....the product you described sounds like the NEC biometrics product. If it isn't, check out NEC. They have had the fingerprint DB technology available for years.

I know quite a bit about biometric technology, if you have any questions, please just ask here or email me if you wish.

How about Ethentica, we've been testing thie rstuff and seems pretty solid.

www.ethentica.com

(That meams it hasn't crashed a system or locked me out)

Biometrics suck, during HAL 2001 I whas at a presentation about Biometrics and we ended up discussing with PGP´s Phil Zimmerman on ways of exploiting it.
The researcher who did the presentation said that there is a 75% chance that fingerprinting can be fooled. He had some fingerprints taken from people and made some moles with wax/latex and it worked in many cases.
His research came to the conclusion that biometrics (for now) won´t work 100%.
There would have to be a human (guard)standing at the authorization pad to see if the person isn´t using someone´s fingerprint. Phil Zimmerman said that with the right tools, if Proactive has a couple of drinks with me, I could take off his prints from the glass and have a 75% chance of rooting his system.
I wil try and get you guys the Staroffice presentation, it´s really interesting.

While I agree with Focmaester that fingerprinting will not be a 100% secure identification method, it must be said that no system is ever 100% secure.

It's all a question of using combinations of systems. For example, you could add a retinal scanner to the fingerprint. Or you could ask for a password on top of it. So not only would you need to get Proactive's fingerprints on that beerglass, but you'd also need to steal his eye and get him to give you his password.

There might also be ways to avoid the use of latex. Could a temperature sensor or such indicate the possibility that the fingerprint reader is not in direct contact with skin?

Besides, many methods will fail against social engineering ...

Anyway, security is always a complete package, not just one method.

Just my take on it ...

BrainStop

What's to keep me from having a file containing valid
biometric data that I have created/hacked/stolen,
and uploading it for validation.

Once biometrics come into widespread use for
access to protected sites, tools for bypassing
the fingerprint scanner will be the first tools
to appear.

I can't see how they can tell whether you really
put your finger on the scanner, or just uploaded the data.

Then it's just a matter of stealing someone's fingerprints,
or, once you know the format, generating plausable ones.
:cool:

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=219535#post459276) by BrainStop
While I agree with Focmaester that fingerprinting will not be a 100% secure identification method, it must be said that no system is ever 100% secure.

It's all a question of using combinations of systems. For example, you could add a retinal scanner to the fingerprint.
BrainStop

Retinal scan hasn't been proven to work 100%, if you used to wear contacts, you build up a certain scarring that wil heal and go away. But it's stil is inacurate.
But the password idea, I think that's a lot better.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=219535#post459616) by rcgreen
What's to keep me from having a file containing valid
biometric data that I have created/hacked/stolen,
and uploading it for validation.

That can be done, but it's very difficult. I don't think you would be able to create a valid fingerprint, that's sounds impossible. It's like figuring out a 200 character password. But of course you could hack my database and steal all it's contents. But actually I don't store images of fingerprints, what I do is use a technique that dissassembles the fingerprint and find the caracteristics of it. This is an old technique develped by the FBI in the 70s and it's improved further since then. The dissassemling is done on the server, so you have to send an image of a fingerprint.

I guess you could try to reassemble the fingerprint from the caracteristics, reverese engingeer the technique, but that is a difficult task. But if this FBI teqnicue is going to be a standard for fingerprint biometrics, someone are going to make tools that will do this.

The thing that everybody is forgetting here is that it is not just the fingerprint image that is doing the authentication. It is a combination of factors including heat and pressure sensitivity on the fingerprint scanner itself. Therefore, even if you were able to get a fingerprint image, and break the encryption, it would still not do you much good.

There are still some improvements to be made in the biometrics arena, but most are not involved with the validity of the authentication method itself, but are related more to the speed of authentication since these images can get relatively large (compared to a password) and DB queries can take quite some time. Up to a minute or more in some cases.

The other drawback of biometrics is that it requires client side hardware. There will probably never be a time where the world goes to all biometrics, but it does have a very good fit in some scenarios. For example, how about for verifying memberships at a health club instead of carrying around a card all the time.