http://www.perlmonks.org?node_id=396011


in reply to Biometrics with perl

For another option, NEUROtechnologija has both Windows and Linux SDKs for a variety of fingerprint hardware devices. I have no personal experience with these products however.

For the roll-your-own option, perhaps you could look into more conventional image duplicate-finding approaches, some of which have been discussed here, e.g. by BrowserUk, though you'd need access to the raw scanner images, and have to experiment with the comparison to see if it can be tuned to be sensitive enough to find a reasonably small number of matches without deciding that all fingerprints in your database are matches. I'd think you'd use the fingerprint only as a first identifier, then prompt for a password, so the fingerprint tool need only narrow down your ID to a small number of potential matches in your database, not a single person.

Finally, as interesting as I find the problem, I must say I have serious doubts about biometrics, both in ethical and practical senses. For starters, even in my personal circle of friends and relatives I can count half a dozen missing digits. Then there is the recent suggestion that fingerprints are not so easy to accurately compare as has been thought (and indeed haven't really been properly investigated), and the now famous gelatine hack. Perhaps something like a hardware key would be easier and safer to implement in your instance?

--
I'd like to be able to assign to an luser

Replies are listed 'Best First'.
Re^2: Biometrics with perl
by TedPride (Priest) on Oct 03, 2004 at 22:08 UTC
    Any passive security system can by bypassed given enough time, effort, and money. The object is just to make the cost of bypassing security higher than the gain, and unless you're doing high-stakes research or DoD work, a simple fingerprint / password system should be sufficient. Possible improvements might include:

    Finger temperature scan and/or blood gas reading (former might be faked by warming gelatin, latter is much harder to)

    Automatic digital photograph of the finger as it comes close to the scanner (if it looks odd, it's gelatin or has been cut off)

    Weight plate (place feet here, test for weigh within x pounds of last scan with same fingerprint and pass)

    Retinal scan (though if you have one, why do fingerprint?)

[reply]
      I certainly agree that anything can be broken, but I am particuarly wary of complex bleeding-edge (if you will) technology systems that appear to improve things (in this case security, but that isn't the only case), but really serve more to hide insecurities behind flash and sizzle.

      Just to extend the argument a bit more:

      • finger temperature scan - pointless as skin surface temperature is most certainly not constant enough in any individual to be useful as even a partial identifier
      • blood gas reading - perhaps harder to fake, but why bother when like temperature, it too is not going to be consistent enough in a single user (did you have a beer at lunch?)
      • automatic digital photograph of the finger as it comes close to the scanner - now there's some cool AI: first step, see if you can tell a moving finger from a moving sausage reliably in real time. Better attack: mount the gelatin on a real finger.
      • weight plate - pretty crude, depends on clothing (seasonal), number of devices clipped to the subject geek, and whether they went to the all-you-can-eat down the street for lunch. Anyway, if you want to steal someone's finger, it's an easy matter to weigh them too.
      • retinal scan - perhaps the best of the lot, but given the poor science behind finger prints, I'm similarly loath to assume these are correct. It also wouldn't surprise me if there are legal problems regarding employees with disabilities as there are with most biometrics.

      I'm no expert and I've doubtless missed things, but my point is an RFID ID badge or similar with a suitably long encryption key and photo is far simpler, useable by both machine and human security staff, easy to issue, easy to confirm, and easy to cancel. I'm sure it too has truckloads of problems, but when we step past the intriguing academic exercise into practical application, simple wins with me every time.

      --
      I'd like to be able to assign to an luser

[reply]
        The purpose of temperature and blood gas are to verify that the thing touching the sensor area is actually human, not to pick out which human. Admittedly, temperature varies according to outside temperature, so that idea should probably be scrapped, but blood gas is still valid.

        As for digital photographs of the finger, it's easy to mount the scanner inside a hole and take a picture whenever someone sticks their finger (or anything else) inside. if you make it so pass code has to be entered before fingerprint scan, all useless photos can pretty much be eliminated, as anyone who puts their finger inside before the passcode is entered (or more than x seconds afterwards) is just screwing with the security guy.

        Weight plate is not just raw weight, but also how the person stands. Someone who weighs 180 pounds is going to stand slightly differently from someone who weighs 160 but is carrying 20. Weight might vary up to 3-5 pounds either way in a single day, but since weight and current stance are updated daily, you only have problems if someone who isn't naturally the same weight / stance stands on the plate - or if a legitimate employee is trying to run off with 5+ pounds of equipment.

        There is no way to fake a retinal scan (at least to my knowledge) short of cutting out an eye and using it, and the eye will only be good for a short period of time due to breakdown of the microscopic blood vessels. Also, you can test for skin warmth and/or electrical field in the area surrounding the eye.

        -------

        As for RFID, it's ridiculously easy to borrow someone's ID card, substitute your own photo, and pass yourself through. Unless the security section is significantly more alert than the usual rent-a-cop, this is far less effective than even a fingerprint scan, which actually takes specialized knowledge and equipment to bypass. Not everyone can make gelatin fingers. RFID is admittedly an excellent way to track someone through the building once they've gotten inside, but I certainly wouldn't use it as the only entrance security check. Multiple methods is better, especially if you can keep one or two of them secret.

[reply]

In Section Seekers of Perl Wisdom