[OT] Re: data encryption + Biometric security

Steven Milburn steven.milburn at gmail.com
Mon Feb 5 21:31:54 CET 2007


> Malicious people will cut off your finger.  Don't laugh, it has happened
> before.  There are proven cases,
>
e.g. where a carjacker cut off the finger of his victim in order to be able
> to steal the car.
>

Newer fingerprint reader technologies actually account for this pretty
well.  A detached finger is seen as a spoof attempt, if it even images
properly at all.  Your information on these sensors, like most people, is
outdated.  And I don't think that's really an accident.

But, let me humor you for a moment.  If I'm willing to cut off your finger
to get into your mobile device, why wouldn't I be willing to put a gun to
your head and/or torture you until you give me your password?



1) full hardware docs (may be under NDA, but allowing GPL software
>   development)
> 2) small enough for a mobile device
> 3) cheap enough
> 4) not easy to fool
>

The sensor Mark's talking about definitely fulfills the last three.  As for
#1, that's where the political work needs to be done.  It should be possible
to make this happen though.  Most, if not all, fingerprint sensor
manufacturers are in the business of selling hardware.  The software is
basically given away, although the algorithms are guarded.  They need to
control the software because the quality of the sensor depends on the
software.

I image all that's needed is an easy way for users to tell that a sensor is
being used with the company's software or something else.  That way, when
used with something else, the reputation of the quality of the sensor is not
on the line because of bad software.  Eventually, the open software may get
good enough that the companies would "bless" a certain build.




On 2/3/07, Ian Stirling <openmoko at mauve.plus.com> wrote:
>
> There are not-bad options - with something like a 4*256 pixel imager.
> Cheap, pretty small, docs - as it's just a camera, easy to fool... Well,
> it's a fingerprint sensor.


If people are being concerned about faking fingerprint sensors, then  this
simplistic approach  is definitely not a good idea as optical imagers are
the easiest to fake out.




There are interesting possibilities to add security to fingerprint sensors.
> For example, which finger?
>
> If three fingers of one hand have to be scanned in a particular order,
> or it requires a password afterwards.
>
> Or use it as a little optical mouse backwards, and have a 'signature'.
>
> It can even be used as a substitute for a thumbstick in the normal UI.


All the above is currently being used.  There are  swipe-based fingerprint
sensors on some tablet PCs that have navigation capability.  They are used
as scroll wheels and/or as backup when the stylus is lost or not necessary
for a simple task.  But, as of yet using them for full navigation is not
working so great.  The main problem I see with all the ones I've tries is
that they actually try to mimic touch pads, instead of touch sticks.  So, to
move across a screen, you have to keep swiping.  That's an easy fix though
if the open-source community were able to work on things.

In fact, I think most of the standard gripes about fingerprint sensors could
be fixed if the community could play with the sensors, instead of relying on
the algorithms of the few corporate players in the market.

--Steve

Disclaimer: I USED to work for a fingerprint sensor company.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openmoko.org/pipermail/community/attachments/20070205/ccb142d8/attachment.htm 


More information about the community mailing list