用于登录网站的生物识别指纹 [英] Biometric fingerprints for logging into a website

问题描述

有没有办法使用指纹网站验证？

Is there a way to authenticate to a website using fingerprints?

我想以下情形的。

• 服务器具有所有有效用户。
ISO 19794-2指纹模板

• 客户端机器有一个指纹扫描仪​​。


• 客户端打开浏览器的网站


• 浏览器已的Java Applet / ActiveX控件/ HTML5对象获取扫描仪和放指纹模板;发送到网站。


• 网站允许/基于指纹不允许。

• The server has ISO 19794-2 fingerprint templates of all valid users.
• Client machine has a fingerprint scanner.
• Client opens website on browser
• Browser has Java Applet/ActiveX control/HTML5 object gets fingerprint template from the scanner & sends to website.
• Website allows/disallows based on fingerprint.

不过，这似乎非常不安全的。这不是很难得到别人的指纹的JPG格式，并转换成ISO相同的19794-2的模板。然后纲领性盟友可以通过发送用户ID和功放登录到该网站;模板的网站。

However, this seems very insecure. It's not difficult to get a jpg of someone elses fingerprint and convert it into ISO 19794-2 template of the same. Then programmatic-ally one can login to the website by sending the userid & template to the website.

有没有让人们用指纹登录到网站的安全算法/设计？

Is there a secure algorithm/design for allowing people to login to a website using fingerprints?

推荐答案

这是一个可信路径的问题 fingreprint扫描仪，和你的网站的验证逻辑之间。如果有人可以伪装成一个有效的客户端，并提交登录请求您的应用程序，你的计划将被打破。

It's an issue of a Trusted path between fingreprint scanner, and your website's verification logic. If someone could disguise as a valid client and submit login requests to your application, your scheme would be broken.

我认为你能做的最好是使用双因素身份验证，我会要求用户的密码，并为其提供输入到一些PKDF，并用它加密的登录请求，这样如果有人获得的用户指纹，他赢了'T能够建立一个登录请求在不知道用户的密码。此外，生物特征主要是完成作为附加认证因素，而不是唯一的一个。

I think the best you can do is to use two factor authentication, I would request a users password, and provide it as input to some PKDF, and encrypt login request with it, this way if someone get's users fingerprint, he won't be able to forge a login request without knowing users password. Besides, biometric is mostly done as additional authentication factor, not the only one.

如果你不wan't要做到这一点，你可以混淆应用code，有一个关键的时间，这将是有效的时间很短，以减少逆向工程的风险，并要求签署它发出用此键，但它不是非常安全的，它需要大量的husstle没有任何显著的安全增加。

If you don't wan't to do this, you could obfuscate application code, issue it with one time key, which would be valid for very short time, to minimize risk of reverse engineering, and sign request with this key, but it's not very secure, it requires a lot of husstle without any significant security increase.

这篇关于用于登录网站的生物识别指纹的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！