Can I use a fingerprint scanner on my website?

Question

I'm making a web application and would like to have a secure area where you can only sign in with your finger print. My original idea was to just use a usb barcode reader and you scan that, and it outputs the ID into a text box, but that's not very secure. So I want to use a USB fingerprint reader to maybe generate a hash for each person and store that in a text box instead. Which then will check that against a database with everyone's hash value. Does anyone know if there is a fingerprint reader out there that can do this, or of a way I can easily integrate a reader into a website?

EDIT: The Idea for this website is that it's like a login system (Sort of like how you can clock in and out if you get paid hourly) The idea is that no one can sign someone else in and out. IF you just use a password, than someone can just tell their friend the password who can type it in. That's why I thought of a fingerprint, or something similar... I'm open to other suggestions

Also, I'm using PHP

EDIT 2: The Basic idea, is I have to come up with a way to Prove someone was there by checking in. I don't want to use passwords, because then someone can just tell someone else their password to type in. Any other suggestions? It doesn't have to be fingerprints.

long shot, but maybe you could look in the direction of activeX? It would have to take the print client side, then I guess you could upload this to the server to verify it? — Mr Shoubs, Nov 12 '10 at 22:39
For anyone saying "it's not possible", I disagree because I have seen that in my eyes today in a govermental institution here in Istanbul, they took my biometrics using a biometrics reader connected to a regular windows pc, and the app they were running was a regular webpage running in Google chrome. — Normal, Nov 25 '22 at 16:06
here's a reference written in 11 Nov 2022 for anyone who might find this useful https://stackoverflow.blog/2022/11/16/biometric-authentication-for-web-devs/ — Normal, Nov 25 '22 at 16:09

score 20 · Answer 1 · edited Feb 28 '18 at 08:35

Biometrics are a very bad way to do authentication for many reasons:

They're essentially just a password that you can never change. (At least not without some serious pain!) With traditional password schemes, if your password gets stolen or guessed, you can at least change it. But if someone steals your fingerprint, now what are you going to do?
Biometrics are not secret. Every time you touch something, you're leaving your password laying around. Every time your picture gets taken your facial image / retinal image gets copied. Passwords have to remain secret to be useful.
Like Borealid said, Biometrics are never scanned exactly the same twice. So when you do matching, there has to be some kind of fudge factor in allowing input. This:
1. Just makes it easier for attackers to copy your data and replay it, since they don't have to get an exact match. An attacker only has to get close to get accepted.
2. It forces the authentication server to store the your biometric info in plaintext. You can't hash biometric data like you can passwords, since then you'd have to match exactly with the hashed value.

So don't do it!

I think biometric is still useful as a factor in multi factor authentication. — Mohayemin, Feb 28 '18 at 09:04
I think If a person can copy a fingerprint then password too. It's not about the fingerprint data to be insecure, but how it has been handled online. If the information from the scanner to the server gets traveled securely with multilevel protection as explained in http://camsunit.com/application/html-based-fingerprint-scanner-for-website-authentication-and-attendance.html, it would be more secured than the password i believe. — Ravanan, Sep 15 '18 at 16:57

Borealid · Accepted Answer · 2014-12-29T13:23:11.380

18

You can't do what you want, exactly.

Fingerprints never exactly match. Even if you scan your own right index finger twice in a row, the scans won't be the same. So "hashing the fingerprint" won't work - two hashes of the same finger would be indistinguishable from two hashes of two different fingers (with a good, cryptographically strong hash).

Fingerprint readers work by storing some key onboard, and letting that key out if and only if the fingerprint given is close enough to what they expect. The fingerprint itself is not used to get direct access to anything outside the reader.

Sending the fingerprint as seen by the reader over the network is not acceptable - people are nervous about giving their prints to police. You think they'll be OK giving them to you?

Also not acceptable is having the reader say "finger 2 is OK". This could be easily spoofed.

Instead, have your user use X.509 (SSL) client certificates to access your site. They may, if they wish, control access to their private key via the fingerprint reader.

EDIT: updating this answer. There is, now in the year 2014, a standard from the FIDO Alliance called "UAF" which allows sites to use fingerprint authentication in a way that works across different sites. Rumor has it Paypal is going to begin using it soon.

edited Dec 29 '14 at 13:23

answered Nov 12 '10 at 22:40

Borealid

95,191
9
106
122

That would be fine if it outputs a key after the fingerprints match (or close to it) it's just that no one can know that key except the database will have to match it (See my edit above) – Bill Nov 12 '10 at 22:43
And I agree, people wouldn't want to share their fingerprints, that's why I was thinking a hash because that would be a number and wouldn't mean anything to anyone except for the database doing the authentication. But I see what you're saying about them not matching – Bill Nov 12 '10 at 22:45
3

@Phil: Use a smart card. They are designed for what you're trying to do. – Borealid Nov 12 '10 at 22:46
"Fingerprints never exactly match." I think that this problem can be fixed by using some for of error correction before hashing. – CodesInChaos Nov 12 '10 at 22:52
@CodeInChaos - the problem with a hash is that a tiny difference in the input makes the output change completely, to something unrecognizable. You can't just blur the fingers and hash that. – Borealid Nov 23 '10 at 03:17
Of course you need to do the error correction before hashing, and not afterwards. I think error correction on the input should work. After the original measurement you create some error correction bits which the user can apply to his measurement to make all measurements that were close enough to the original measurement identical to it. The user applies this error correction before hashing. – CodesInChaos Nov 23 '10 at 09:06
@CodeInChaos: If you have an algorithm which will make two scans of the same fingerprint be bit-for-bit identical while making two scans of different fingers remain different, you've got an algorithm for making two different pictures of the same thing bit-for-bit identical. You should go sell that - it'd be really useful for, as an example, identifying people's faces in a video stream. – Borealid Nov 24 '10 at 00:09
You need to apply the error correction after extracting the features, and not before. So it only solves the hashing problem, and doesn't offer any new recognition techniques. One simple example could be your recognition software returning a n-dimensional vector, and then you want to recognize this as valid if each component is within a certain interval of the known good vector. In this case you can use error correction codes to the measured vector to make it identical to the known good vector. – CodesInChaos Nov 28 '10 at 11:05
@CodeInChaos: Storing/comparing a representation of fingerprint features instead of the actual prints doesn't work because there are combinatorically many different ways to compare two prints. If there were a single "canonical" vector representation of a print, don't you think the police (and programs like Clear Registered Traveler) would use that, rather than having a lengthy and computationally difficult search through a database for a print match? Find me someone who's done what you're suggesting, or even a research paper suggesting it's possible. There are none. – Borealid Nov 28 '10 at 16:38

score 4 · Answer 3 · answered Nov 12 '10 at 22:45

Biometry for remote authentication is never secure. You can't know if a real finger with that fingerprint is in a reader, or if the user only sends you an image. So a fingerprint just becomes a password the user can never change, which is the same for every service you login to, and which is left on every object the user touches.

Biometry can only work for local authentication where you trust the reader to be not hacked(i.e. you have physical control over the reader) and the reader can distinguish a real finger/eye/... from a fake one. Which most can't.

It is possible to create a one way hash of a finger print. You first have to extract a number of observables just like you might do for a fuzzy match. But since you need an exact match for a hash you need to throw error codes at the values you extracted which then can correct the minor differences on each measurement. It's not easy to code and it doesn't fix the fundamental problems listed above, but it should be possible.

score 1 · Answer 4 · answered Apr 25 '14 at 01:00

1

This is so bogus. Why can't you encrypt a fingerprint? Your master is stored encrypted, you send an encrypted one to the server. The server software un-encrypts both and does the comparison. Simple. Your 'expert' solutions are bogus.

answered Apr 25 '14 at 01:00

Doug Wolfgram

2,064
4
27
42

score 1 · Answer 5 · answered Nov 12 '10 at 22:45

So you want to use a local authentication mechanism to authenticate a remote resource? There are many issues here to suggest this would not be a smart choice. E.g., how does the web app know the hash belongs to the original user and not someone who has a duplicate?

What I would suggest instead is to go the route of banks from several years ago when they had smartcard readers sent to credit card customers. Use the fingerprint scanner to store a local copy of the user's login name, requiring a second form of authentication such as a password.

score 0 · Answer 6 · answered Jan 12 '11 at 23:31

0

why not use face match software for authentication.

http://www.oculislabs.com/products/privateeye

answered Jan 12 '11 at 23:31

Vagabond

9
1

That could work too... I just need to be able to interact with it through a web interface – Bill Jan 13 '11 at 13:47

Can I use a fingerprint scanner on my website?

6 Answers6