Authenticating in Ubuntu with a fingerprint
I had a free fingerprint scanner laying around (see below, thank you, digital persona) and thought of making it work with Ubuntu. Turns out, it could not be easier.
sudo apt-get install pam-fprint
Then add the the following line to the PAM module (etc/pam.d/common-auth):
auth [success=2 default=ignore] pam_fprint.so and changed another to read
auth [success=2 default=ignore] pam_unix.so nullok_secure
This way all Ubuntu authentication (logging in, sudo, gksu, etc.) requires only a fingerprint, and falls back to the standard password based authentication in case of an incorrect fingerprint.
Ok, cool, it works! Now, there are couple things worth mentioning.
- The fingerprint recognition is one of the oldest and probably weakest forms of biometric authentication. Think of this – when you use your fingerprints in leu of passwords, you are essentially leaving your passwords on everything you touch. Even worse, if somebody lifts your fingerprint and uses it for nefarious purposes, you can not change it. Ever.
- The U.are.U devices from DigitalPersona are image scanners, and as such, can be fooled by a simple image of a lifted fingerprint. They can not distinguish a real finger from a carefully crafted print out of a fingerprint. UPEK fingerprint readers, built into many ThingPads, are of a different type. They are capacitive scanners that look for actual groves on the finger, making them harder to fool with an image, but not with a silicon mold.
Withl that that said, it is still nice to save couple seconds every time you log into your home computer with just a touch of a finger (quite literally). However, I would not recommend using this approach as a security measure for sensitive information.