Web-Authentication: Use a fingerprint scanner

Question

There already exists a Raspberry Pi based terminal which job it is to display a website. This works great. The end user has only a touch screen to do everything and only one webpage is on the screen.

The user authentication is done with a username and a password. Both are short, because the terminal uses a touch interface and security is not extremly important for the use case.

Because it is still relative time intensive to input a username/password i like to use a fingerprint scanner on the terminal. The user authentication should still be done on the server side. In a first step the communication between the client and the server is not very important (the client and server are always in the same local network).

My idea is now:

1. A Futronic F88 is added to the terminal. (It works with the RaspberryPi)
2. The futronic API is used to write a small program which just reads out the scanner and stores the image somewhere locally.
3. The target website which is displayed by the terminal contains a hidden Java Applet which is signed and has all local privileges.
4. If a user connects to the website the Applet is started and runs the local program to read out the fingerprinter image. This image is then sent to the server where it is matched against some local stored images.
5. The server uses a software like SourceAFIS to match the fingerprint.
6. Of course the website always knows the current application state and gives the user hints what to do (e.g. "scan you finger now").

Does this work? I think the most difficult point is to do the Applet things. Is it possible to do this? Especially without any warnings. The user should not even know that he is using a website and not a local application.

Or is there an alternative "cleaner" idea than using a Java Applet to access the local USB-connected fingerprint scanner? E.g. a custom browser plugin?

Thank you very much

Answer 1

I question the benefit of the user not knowing they're using a standalone Java application. Java applets are a pain. If you just used a standalone Java program, you could do this:

1. Java program waits for fingerprint scan.
   
2. Fingerprint is scanned, Java uploads the image to the server over https, gets back a one-time key (for valid scans) or a message indicating an invalid scan.
   
3. Java either tells the user about the invalid scan and goes back to step 1, or for a valid scan proceeds to step 4.
   
4. Java writes a local html page containing:
   • the one-time token
   • a form that submits the one-time token
   • JavaScript that submits the form on login.
5. Java opens a browser to that temporary page.
   
6. Java deletes the page when the browser closes.

Applets aren't going to be supported forever and they're a pain to set up. Every time you update the browser or the JRE, you're going to have to re-allow all the permissions that will let you do this. Applets are also harder to test.

The standalone solution I've outlined above does not require the JRE and the browser to coordinate, and upgrading either isn't likely to break it. In fact, it can be made completely browser-agnostic by calling the OS's preferred program for handling .html files instead of starting a specific browser.