Biometric fingerprints for logging into a website

Question

Is there a way to authenticate to a website using fingerprints?

I was thinking of the following scenario.

• The server has ISO 19794-2 fingerprint templates of all valid users.
• Client machine has a fingerprint scanner.
• Client opens website on browser
• Browser has Java Applet/ActiveX control/HTML5 object gets fingerprint template from the scanner & sends to website.
• Website allows/disallows based on fingerprint.

However, this seems very insecure. It's not difficult to get a jpg of someone elses fingerprint and convert it into ISO 19794-2 template of the same. Then programmatic-ally one can login to the website by sending the userid & template to the website.

Is there a secure algorithm/design for allowing people to login to a website using fingerprints?

Answer 1

Reading fingerprint and authenticating from client-side is very much possible. But this has to be supported by the manufacturer of the scanner. The link: http://camsunit.com/application/javascript-based-fingerprint-scanner-for-website-authentication-and-attendance.html shares the javascript API for communicating with the fingerprint scanner. One of the operations is CaptureAndVerify which validates the encrypted existing template with newly captured one and passes the response to the server directly, with ensuring the authentication shall be done securely.

Answer 2

It's an issue of a Trusted path between fingreprint scanner, and your website's verification logic. If someone could disguise as a valid client and submit login requests to your application, your scheme would be broken.

I think the best you can do is to use two factor authentication, I would request a users password, and provide it as input to some PKDF, and encrypt login request with it, this way if someone get's users fingerprint, he won't be able to forge a login request without knowing users password. Besides, biometric is mostly done as additional authentication factor, not the only one.

If you don't wan't to do this, you could obfuscate application code, issue it with one time key, which would be valid for very short time, to minimize risk of reverse engineering, and sign request with this key, but it's not very secure, it requires a lot of husstle without any significant security increase.