I’m a big fan of biometric authentication, if only because of my innate laziness and unwillingness to remember passwords. It was only natural, then, that I tried to make one myself as part of my coursework project—to see what pitfalls biometrics had in store and to learn how to work with it in the first place.
When it comes to biometrics, the choice of the actual factor used is up to you—whether it be the eye, the finger, the voice, the face or something else. Vendors try different factors and combinations thereof to try and find a balance between simplicity, reliability and inexpensiveness. However, not all methods are created equal—some camera-based methods, like facial recognition or iris scanning, for instance, suffer from low-light conditions or obstructions (like glasses), and can generally be awkward to use.
Fingerprint scanners are something of a golden spot in this regard, seeing as they’re simple to use, fairly reliable and inexpensive to produce, to the point of being added to many average to low-end devices. As a result of this, operating systems and vendors offer APIs and SDKs to work with the scanning hardware simply and securely. This was why I chose the fingerprint scanner as my pick of poison—simplicity of software implementation, simplicity of use by the end user and security.
The authentication layer was made as an additional means of protection and convenience for logging in to the university’s online education and testing system. The concept was thus: let biometric login have equal rights to authenticate a user to the system. Authentication is done by means of a mobile app installed on a biometrics-enabled device. A confirmation code, based on the password and the device’s unique ID, is transmitted to the system on the server side and authenticated.
To avoid unnecessary clicks, the server-side app (powered by PHP) long-polled for a result and, once one came, checked it against the correct print stored in the database. This way, from the user’s side, all they have to do is:
- Press a special button underneath the Log in button that takes them to a biometric processing screen
- Launch the app and scan their fingerprint
When the app is first installed, the user is prompted to enter their username and password, which are then securely stored and used to authenticate—after this, the authentication process is simple and painless, requiring only a web page open on your PC and a finger placed on your scanner.
Naturally, the system has some weak points, the greatest of which is the act of sending information on the network. However, HTTPS helps mitigate these risks considerably, and since SSL is more or less the norm for production environments today, the system becomes safe and secure to use. All in all this project has been a very interesting journey into the world of biometrics, and it’s taught me a lot about what biometrics are good for. I hope that this post has also perhaps given you an idea of your own.