php 我可以在我的网站上使用指纹扫描仪吗?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4169678/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Can I use a fingerprint scanner on my website?
提问by Bill
I'm making a web application and would like to have a secure area where you can only sign in with your finger print. My original idea was to just use a usb barcode reader and you scan that, and it outputs the ID into a text box, but that's not very secure. So I want to use a USB fingerprint reader to maybe generate a hash for each person and store that in a text box instead. Which then will check that against a database with everyone's hash value. Does anyone know if there is a fingerprint reader out there that can do this, or of a way I can easily integrate a reader into a website?
我正在制作一个 Web 应用程序,并希望有一个安全区域,您只能在其中使用指纹登录。我最初的想法是只使用 USB 条形码阅读器,然后扫描它,然后将 ID 输出到文本框中,但这不是很安全。所以我想使用 USB 指纹读取器为每个人生成一个哈希值,并将其存储在文本框中。然后将根据每个人的哈希值对数据库进行检查。有谁知道是否有指纹读取器可以做到这一点,或者我可以轻松地将读取器集成到网站中?
EDIT: The Idea for this website is that it's like a login system (Sort of like how you can clock in and out if you get paid hourly) The idea is that no one can sign someone else in and out. IF you just use a password, than someone can just tell their friend the password who can type it in. That's why I thought of a fingerprint, or something similar... I'm open to other suggestions
编辑:这个网站的想法是它就像一个登录系统(有点像如果你每小时获得报酬,你可以如何打卡和退出)这个想法是没有人可以签入和签出其他人。如果你只使用密码,那么有人可以告诉他们的朋友可以输入密码的密码。这就是为什么我想到了指纹或类似的东西......我愿意接受其他建议
Also, I'm using PHP
另外,我正在使用 PHP
EDIT 2: The Basic idea, is I have to come up with a way to Prove someone was there by checking in. I don't want to use passwords, because then someone can just tell someone else their password to type in. Any other suggestions? It doesn't have to be fingerprints.
编辑 2:基本想法,是我必须想出一种方法来证明有人在那里签入。我不想使用密码,因为这样有人可以告诉别人他们的密码输入。任何其他建议?它不一定是指纹。
采纳答案by Borealid
You can't do what you want, exactly.
你不能做你想做的,确切地说。
Fingerprints never exactlymatch. Even if you scan your own right index finger twice in a row, the scans won't be the same. So "hashing the fingerprint" won't work - two hashes of the same finger would be indistinguishable from two hashes of two different fingers (with a good, cryptographically strong hash).
指纹永远不会完全匹配。即使您连续两次扫描自己的右手食指,扫描结果也不会相同。所以“对指纹进行散列”是行不通的——同一个手指的两个散列与两个不同手指的两个散列(具有良好的密码强散列)无法区分。
Fingerprint readers work by storing some key onboard, and letting that key out if and only if the fingerprint given is close enough to what they expect. The fingerprint itself is not used to get direct access to anything outside the reader.
指纹读取器的工作原理是在板上存储一些密钥,当且仅当给出的指纹足够接近他们的预期时才放出该密钥。指纹本身不用于直接访问阅读器之外的任何内容。
Sending the fingerprint as seen by the reader over the network is not acceptable - people are nervous about giving their prints to police. You think they'll be OK giving them to you?
通过网络发送读取器看到的指纹是不可接受的——人们对将指纹交给警察感到紧张。你认为他们会把它们给你吗?
Also not acceptable is having the reader say "finger 2 is OK". This could be easily spoofed.
同样不可接受的是让读者说“手指 2 没问题”。这很容易被欺骗。
Instead, have your user use X.509 (SSL) client certificates to access your site. They may, if they wish, control access to their private key via the fingerprint reader.
相反,让您的用户使用 X.509 (SSL) 客户端证书来访问您的站点。如果他们愿意,他们可以通过指纹读取器控制对他们的私钥的访问。
EDIT: updating this answer. There is, now in the year 2014, a standard from the FIDO Alliance called "UAF" which allows sites to use fingerprint authentication in a way that works across different sites. Rumor has it Paypal is going to begin using it soon.
编辑:更新这个答案。现在在 2014 年,FIDO 联盟推出了一项名为“UAF”的标准,该标准允许站点以跨不同站点工作的方式使用指纹身份验证。有传言说 Paypal 很快就会开始使用它。
回答by AltF4
Biometrics are a very bad way to do authentication for many reasons:
出于多种原因,生物识别技术是一种非常糟糕的身份验证方式:
- They're essentially just a password that you can never change. (At least not without some serious pain!) With traditional password schemes, if your password gets stolen or guessed, you can at least change it. But if someone steals your fingerprint, now what are you going to do?
Biometrics are not secret. Every time you touch something, you're leaving your password laying around. Every time your picture gets taken your facial image / retinal image gets copied. Passwords have to remain secret to be useful.
Like Borealid said, Biometrics are never scanned exactly the same twice. So when you do matching, there has to be some kind of fudge factor in allowing input. This:
Just makes it easier for attackers to copy your data and replay it, since they don't have to get an exact match. An attacker only has to get close to get accepted.
It forces the authentication server to store the your biometric info in plaintext. You can't hash biometric data like you can passwords, since then you'd have to match exactly with the hashed value.
- 它们本质上只是一个您永远无法更改的密码。(至少不是没有一些严重的痛苦!)使用传统的密码方案,如果您的密码被盗或被猜到,您至少可以更改它。但是如果有人偷了你的指纹,现在你打算怎么办?
生物识别技术并不是秘密。每次您触摸某物时,您都会留下密码。每次拍摄照片时,您的面部图像/视网膜图像都会被复制。密码必须保密才能有用。
正如 Borealid 所说,生物识别技术永远不会被完全相同地扫描两次。因此,当您进行匹配时,在允许输入时必须有某种模糊因素。这个:
只是让攻击者更容易复制您的数据并重放它,因为他们不必获得完全匹配。攻击者只需靠近即可被接受。
它强制身份验证服务器以明文形式存储您的生物特征信息。您不能像对密码那样散列生物特征数据,因为那样您就必须与散列值完全匹配。
So don't do it!
所以不要这样做!
回答by CodesInChaos
Biometry for remote authentication is neversecure. You can't know if a real finger with that fingerprint is in a reader, or if the user only sends you an image. So a fingerprint just becomes a password the user can never change, which is the same for every service you login to, and which is left on every object the user touches.
用于远程身份验证的生物识别永远不会安全。您无法知道带有该指纹的真实手指是否在读取器中,或者用户是否仅向您发送图像。因此指纹只是成为用户永远无法更改的密码,这对于您登录的每个服务都是相同的,并且会留在用户触摸的每个对象上。
Biometry can only work for local authentication where you trust the reader to be not hacked(i.e. you have physical control over the reader) and the reader can distinguish a real finger/eye/... from a fake one. Which most can't.
生物测定只能用于本地身份验证,您相信阅读器不会被黑客入侵(即您对阅读器有物理控制权),并且阅读器可以区分真实的手指/眼睛/...和假手指。大多数不能。
It is possible to create a one way hash of a finger print. You first have to extract a number of observables just like you might do for a fuzzy match. But since you need an exact match for a hash you need to throw error codes at the values you extracted which then can correct the minor differences on each measurement. It's not easy to code and it doesn't fix the fundamental problems listed above, but it should be possible.
可以创建指纹的单向哈希。您首先必须像处理模糊匹配一样提取一些可观察值。但是,由于您需要与哈希完全匹配,因此您需要在提取的值上抛出错误代码,然后可以纠正每次测量的细微差异。编写代码并不容易,也不能解决上面列出的基本问题,但应该是可能的。
回答by Doug Wolfgram
This is so bogus. Why can't you encrypt a fingerprint? Your master is stored encrypted, you send an encrypted one to the server. The server software un-encrypts both and does the comparison. Simple. Your 'expert' solutions are bogus.
这太假了。为什么不能加密指纹?你的主人是加密存储的,你向服务器发送一个加密的。服务器软件对两者进行解密并进行比较。简单的。您的“专家”解决方案是虚假的。
回答by Cahit
So you want to use a local authentication mechanism to authenticate a remote resource? There are many issues here to suggest this would not be a smart choice. E.g., how does the web app know the hash belongs to the original user and not someone who has a duplicate?
那么您想使用本地身份验证机制来对远程资源进行身份验证吗?这里有很多问题表明这不是一个明智的选择。例如,Web 应用程序如何知道哈希属于原始用户而不是具有重复项的人?
What I would suggest instead is to go the route of banks from several years ago when they had smartcard readers sent to credit card customers. Use the fingerprint scanner to store a local copy of the user's login name, requiring a second form of authentication such as a password.
相反,我建议走几年前银行的路线,当时他们将智能卡读卡器发送给信用卡客户。使用指纹扫描仪存储用户登录名的本地副本,这需要第二种形式的身份验证,例如密码。
回答by Vagabond
why not use face match software for authentication.
为什么不使用人脸匹配软件进行身份验证。