From Fedora Project Wiki

Fingerprint Readers

Summary

The goal of the project is making fingerprint readers as easy as possible to use for secondary authentication.

See the use cases in the whiteboard.

Owner

Current status

  • Targeted release: Fedora 11
  • Last updated: 2008-12-08
  • Percentage of completion: 95%

libusb1, and the required libfprint are available in rawhide (F-11).

fprintd is in rawhide. It includes a pam plugin to not require a password for login. The authconfig patch to add fingerprint reader authentication is also in rawhide.

Enrollment support is in gnome-about-me, available in the control-center package in rawhide.

Detailed Description

Currently, using Fingerprint readers is a bit of a pain, and installing/using fprint and its pam module take more time than should ever be necessary. The goal of this feature is to make it painless by providing all the required pieces in Fedora, together with nicely integrated configuration.

Benefit to Fedora

Better Out-of-the-box experience for systems with fingerprint readers. Fedora will support one more piece of frequently found hardware.

Scope

Better integration would mean

  • Having a D-Bus service for handling reading/using the fingerprint reader.
  • The PAM module uses the VerifyStart method provided over D-Bus to authenticate users, and will be added to the default configuration.
  • gnome-about-me would use the EnrollStart method to write a new fingerprint data file for the specified user.
  • gnome-screensaver would be able to use finger scans to unlock the desktop
  • Any other dialog presented to the user for authentication would be able to use finger scans, e.g PolicyKit
  • The create-user dialog in firstboot or its replacement could offer to enroll the new user

How to test

  • Person installs a laptop/desktop system with a fingerprint-reader that's supported by fprint. A good way to find information about your fingerprint reader is to scan the output of lshal for 'Fingerprint Reader'.
  • Person sets their fingerprint in gnome-about-me
  • Person can log in using their fingerprint, and the session behaves the same whether logged in with password or fingerprint. In particular, gnome-keyring-daemon is running in both cases
  • Person deletes their fingerprint in gnome-about-me
  • Person can no longer log in with their fingerprint
  • Another thing to test: turning fingerprint support off in authconfig prevents login with fingerprint, but keeps the fingerprint data, so that turning it back on doesn't force people to re-enroll.
  • To install the necessary packages to test this feature, on a stock Fedora 10 machine, run:
yum -y --enablerepo=rawhide install fprintd-pam control-center authconfig

Known issues

  • Imaging devices can go crazy if EnrollStop is not called after straight after a successful enrollment. This is worked-around in fprintd.
  • Imaging devices will fail to read subsequent prints when enrolling and the 'enroll-retry-scan' status is encountered. This is a bug in libfprint.
  • authconfig support is currently disabled by default. In Fedora 11, it will be enabled by default.

User Experience

Fingerprint support in authconfig-gtk

Deleting existing fingerprints in gnome-about-me

Fingerprint enrollment wizard

Fingerprint enrollment wizard, step 2

Fingerprint enrollment wizard, step 3

Fingerprint enrollment wizard, step 4

Dependencies

Contingency Plan

Don't install the packages by default. If fprintd is not installed, authconfig and gnome-about-me will not show their fingerprint-related UI.

Documentation

Release Notes

Fedora 11 supports authentication using fingerprint readers. Before you can log in using your fingerprint, you need to enable fingerprint authentication in authconfig (System → Administration → Authentication) and enroll your fingerprint in gnome-about-me (System → Preferences → Personal → About Me). For a list of supported fingerprint readers, see http://www.reactivated.net/fprint/wiki/Supported_devices.

For upgrades from older versions of Fedora, and if pam_fprint was installed, the package itself as well as the changes to PAM configuration should be removed (unless major changes were done to the files, running authconfig as mentioned above will clear the previous changes).

Comments and Discussion

See Talk:Features/Fingerprint