Safe biometrics authentication

[MJU]

I want to make a biometric based lock that is safe...

Everybody tells me that there is no way to achieve that.
There is no such thing as a safe lock that is based upon human parameters so they say.

But, is there anyone that disagrees?
Is there a safe way to design a lock that is fast and safe? Based on something we all carry? Our body?

What kind of sensor should I look into? What are the problems I will find designing this lock?

[Benj]

I've got a couple of fingerprint sensors I want to maybe use on my garage door. Currently the key is lost and we have a bent random key that works to unlock it. Not ideal!!

Maybe that or a hidden pocketed RFID reader with a tag in my wallet. I had a similar locked drawer in the past using a hidden reed switch and a magnet in the wallet.

Face recognition on modern phones is fairly impressive though there are likely flaws to this tech. I dare say you can probably do this using python on a pi with a connected pi cam.

As for being absolutely safe I think given enough time and effort anything is vulnerable to attack. I've seen hacks to get around fingerprint sensors though no idea if they actually work reliably. Misdirection and obfuscation is often the best ploy when designing security systems.

[chipfryer27]

Hi

How long is a piece of string? That's a popular saying especially when discussing security related matters. What level of "threat" is faced is a good way to start then everything after is a balancing act between security and convenience. I want to secure a room so I build it and don't put a door to it. Quite secure but hardly convenient.

I then put a three foot thick steel door on a time lock with other multiple locking devices so now the bad guys smash through the walls.

I would tend to agree that nothing can be totally secure especially if humans are involved. Say you have your secure biometrics but I hold a loved one hostage. Will you open up for me? Of course you would.

Generally speaking you should have differing levels of security to overcome before access is granted (e.g. RFID tag plus a code), obviously depending on how secure you wish it to be. RFID, fingerprint, speech recognition etc can all be accomplished by a microcontroller but as far as I am aware facial recognition is a bit beyond them although I believe there is a system for the Pi (or such like). You should also consider duress access. Say your loved one is held hostage and you are forced to "enter your code". A duress code will grant access but will also trigger a silent alarm (or such like). Do you need to consider "polite access" whereby an authorised user holds the door open for a colleague(s)? If so you may also need RFID that can be read from a distance so that you know all who enter (we got caught out by that in a secure site once. A colleague held the door open for us to enter but we coudn't then get out as the system did not show us as inside. Only he could get out and let us out).

Majority of "stand alone" fingerprint readers only require one print for access and I believe these can be compromised depending on the actual technology (we have all seen movies whereby bolt cutters were employed...ouch). A simple way to increase the complexity of such is to have each authorised user create their own "pattern" and this can be built by yourself. Instead of offering a single digit, the user has to create a pattern to be followed. For example Left index finger, right thumb, right middle finger etc. I'm sure you get the idea. A few stages in the pattern and you potentially have thousands of differing combinations (including duress) all unique to that user which would take time to "crack" (even if Mr. Tarantino has all your fingers in his pocket). You could consider after two wrong attempts it automatically locks out for five minutes without you knowing, you have then massively increased the time it would potentially take to "crack". If two people are simultaneously required to gain access (to your nuclear codes??) this pattern can easily be adapted to suit. Depending on your application this approach may be of some small help.

Also consider the physical security of the sensors and controllers, not forgetting any cabling. They should not be accessible and tamper detection should be employed.

Of course if The Terminator wishes access you'd probably be well advised to just let him in...

Regards

[MJU]

First of all: thanks for your reply.

@Benj: what is stored in your garage? And if it is valuable then please PM me your home address
@chipfryer27: I have just measured a piece of string and it is 53.2cm

No, just joking.

The suggestions are what I expected. The strength of the security follows the value of the things that need protection.
You need to make a consideration between ease of use and security.

But I already tested a (cheap) Chinese fingerprint scanner module and it worked well. But I had to return it because it didn't store the scans @ power off. They never send one back

But I really don't know if I can believe the figures they give with the devices. If they claim that a false rate of acceptance is... x. How can I be sure that this is true? I can't get a million people to test these figures.
The suggestion of Chipfryer to let the user scan two fingers in a specific order only they know is a very good suggestion. This makes the lock very much secure I think. But this has a cost too. The speed of recognition is reduced. But very well worth investigating.

The communication between the device and a microcontroller is also something I considered.

Do any of you have experience with these modules in the outdoor?
I've read that damp could give false results?

I may consider buying a new module but I realise that there are still things to think about before I trust my Fort Knox to it.

[kersing]

Fingerprints scanners outside might be an issue regarding the user experience. Would you like to use it when the unit is -5 C? Also people’s fingerprints suffer from cold and damp. Even the scanners in expensive devices like iPhones and iPads have difficulty recognizing fingerprints regularly, I expect Apple uses hardware with better hardware specs when compared to the ‘cheaply stuff from China.
Facial recognition is an issue for smartphones worth nearly a thousand euros. They can be fooled with a simple picture, so implementing something foolproof will be hard. (Samsung etc have a lot more resources and money and can’t get it right)
Voice recognition is nice for Amazon Alexa and google home but hardly fool proof. A recorder with a microphone near the entrance when you enter provides a ‘key’ for future visits.

Whatever you implement, make sure to add a second method like an old fashioned lock and key as a fail safe. Not being able to open a door when there is a power failure or emergency can be disastrous.

[MJU]

In my ideal world I would like the biometric device (maybe a fingerprint scanner), to be used in outdoor conditions. -5°C is possible.

But it seems to me that all these conditions are much to ambitious.
It should be safe, work in all conditions, react fast and so on.

Thanks for your advice!

[kersing]

I'm not suggesting using a fingerprint sensor at -5C is impossible. However it would not be a pleasant experience to have to press your finger to a freezing object.

[Steve001]

Hi

Maybe a bit off topic slightly.

Currently at work I have seen in the past couple of years, finger print scanners have gone away from turn styles to gain access these have been replaced by hand geometry scanners with a card that you present upto a reader - presume this is a RFID card.

https://en.wikipedia.org/wiki/Hand_geometry

as jac says not pleasant in winter placing your hand on the cold plate and getting stressed out when a voice telling you your hand is not placed correctly makes you want to rip it off the wall and chuck it into car park.

Steve

:edit thinking about it - they probably gone back to hand scanners from finger print due to the large number of hand injuries within the construction industry making this technology unreliable ? - just a thought