Fingerprint scanners are becoming more commonplace, especially on laptops,
to add a layer of biometric authentication. Linux support for these devices has been
somewhat varied, with each scanner model supported by its own driver
and API, or not supported at all. In addition, a number of the drivers are
closed source; something that should worry anyone installing security
software. The fprint
project aims to change that by providing a standardized API for as many
different scanners as it can.
Born out of a Computer Science academic project for founder Daniel Drake,
fprint was released this month under the LGPL. Unlike other scanner projects,
fprint is not targeted at a specific device, it
quite a few using a half-dozen or so different drivers. The drivers, as
the name would imply, handle the low-level details of talking to the devices
Fingerprint scanners all work differently; some process the image of the
print internally, while others present the image to the driver. In order
to have a standard API, regardless of the scanner used, the libfprint
library handles those differences internally. If required, it uses
code from the US National Institute of Standards and Technology that is
specifically designed for fingerprint matching.
In order to use fingerprints for authentication, there must be a training
or enrollment mode where the scanned fingerprint is stored away for later
use. Once that has been done, fingerprints can be verified for a particular
user. fprint does not yet support identification mode, where an unknown
finger is scanned and a database of stored prints is checked for a match.
The current code requires a username or other identifier, comparing the
print stored for that user with the one scanned.
Because it handles multiple devices, there could be occasions where there
is a print stored for a particular user, but it was scanned with a different
device. Some fprint drivers can handle multiple similar scanners, so it
distinguishes between them using a device type assigned by the driver. It
tags each stored print with the driver ID as well as the device type. To
be comparable, the
prints must have come from the same driver with the same device type.
Application writers do not want to have to interface to multiple different
library APIs to support fingerprint authentication. The
provides a single interface for applications. All phases of dealing with
the scanners are available through the API: device discovery, print
enrollment, print discovery, and verification. In addition,
has integrated with Pluggable Authentication Modules (PAM) to handle logging
in via fingerprint instead of password.
There are other projects out there solving similar problems, but none seems
to have taken the big picture view that fprint has. The Debian FingerForce
team has gathered a list of
Linux fingerprint scanning solutions, most of which are specific to a
particular scanner or family of scanners.
BioAPI also tries to abstract away the
specifics of biometric authentication, but it is not a free standard.
By trying to support as many scanners as they can, while providing a generic
interface, fprint seems to have the right approach to fingerprint
authentication. There is still plenty to be worked on, fingerprint data
is currently stored unencrypted for example, but the approach seems sound.
For anyone with a scanner on their laptop, or a USB version that they carry
around, applications supporting fprint will be very welcome. Anyone creating
software that is interested in supporting fingerprint authentication, will
definitely want to give fprint a look.
to post comments)