Im developping an application with android studio, the application is for attendance using fingerprint and I want be able to register fingerprint of users using a desktop application and the fingerprint will be registered from a physical fingerprint reader, data encrypted from it will be stored in a Mysql database. So I want users to use their android phone with fingerprint sensor to respond the attendance. Actually I dont know if it is possible to compare encrypted fingerprint from android phone and for this coming from the physical fingerprint reader.
What I need is just ideas on encryption or comparison between those two sources of data.
Thank you
From what I can understand is that you are trying to develop an application with two ends.
One for the fingerprint enrollment from a desktop application.
One for matching the fingerprint to a probe fingerprint of an individual from an Android Device.
See what you are trying to achieve is a bit nearly impossible as #Michael clearly stated.
The answer is a bit elaborated. (The boring but detailed stuff)
For the enrollment part, if you are using a physical fingerprint reader, that device will definitely provide you with a fingerprint image along with some ISO templates of the fingerprint whose name shall be kept unique by you and it's name can be stored in the Database. Let's call this ISO as gallery ISO.
For the verification part, there are two approaches.
1:1 fingerprint match(the person first claims to be someone and places his/her fingerprint on a verification device to confirm the claim) and 1:N fingerprint match (the person doesn't tell your verification system who is he/she, but simply places his/her fingerprint on the device and the system searches for a probable fingerprint match)
Android devices store a fingerprint which cannot be accessed by the API, all you can achieve is that either a YES or NO. That the fingerprint is enrolled in the device or not.
You will have to use the same physical scanner connected to an USB OTG to the android device, if the physical scanner provides the SDK to support android device then it's fine else you cannot just have the same ISO template from any other scanner.
However there is a standard template and most of the scanners generate it.
Like ISO-19794-2/FMR
The ISO generated at the verification end shall be called a (PROBE ISO).
Your fingerprint scanner's SDK shall really provide you a function like below:
long score = CompareISOs(byte[] GalleryISO,byte[] ProbeISO);
The "score" gives out a value which tells you how much confidence is the scanner that the two ISO templates are same and SDK must also provide you with a threshold like say 800.
so if score anytime after comparison is greater than 800. You have a match.
This is 1:1 verification.
one-to-n is a way more hectic task and requires much complex SDK like ABIS. That I shall leave as a research topic for you.
I hope my answer helps you to some level. I came along this question and decided to reply because you genuinely asked for some ideas. I hope this helps you to kick start your research on fingerprints.
Kudos!
Related
I want a cheap Biometric system using any (cheap) Android mobile in which whoever presses the thumb, my android code should get authenticated callback with some unique person code(this is optional though).
But question is whether we can change the Android setting to allow storing of 100-500 people's finger prints? Usually mobiles only allow upto 5 fingerprints to be stored.
my android code should get authenticated callback with some unique person code
Android does not support this. You only find out whether the user authenticated or not.
whether we can change the Android setting to allow storing of 100-500 people's finger prints?
Android does not support this.
I'm a beginner to Flutter and programming in general.
First I'd like to know if it's possible to notify the creator of an app or it's back end service that a fingerprint has been deregistered and a new one added.
Note: The objective is not to get fingerprint data but to uniquely identify people in one way or the other. For example assuming an app would like to manage dormitories that have a closing time of say 9 pm and intends to generate a report of everyone present inside by using their device location and a service on a local network that checks location data and asks for a fingerprint authentication, there's every possibility that users could leave their devices to other users and register their fingerprints as well allowing them to provide authentication and creating inaccurate reports for the dormitory.
Please any suggestions for the above situation?
There is no support for "detecting de-registration" directly. Even if it were, it would not be useful.
tldr; Access, guarded by a device-secret fingerprint or otherwise, from an arbitrary and uncontrolled device cannot be used to guarantee that the person who 'owns' the device is present. It is the data governance regulations (EULA, company/dorm policy, etc.) and trust in the user to adhere to such, including reporting violations, which allows the device-to-person assertion.
On a mobile device, fingerprint authentication is effectively a per-device secret than can accept any of the registered fingerprints which is used to protect other access/secrets.
Consider:
Fingerprints are not accessible directly by applications and thus cannot be used as "user IDs".
Each device uses a private per-device key to encrypt and store the fingerprint information. This information is not accessible externally nor is it uploaded.
See 'Secure Enclave' for iOS and 'Trusted Execution Environment' for Android.
A person can have multiple fingerprints registered per device. This implies that multiple fingerprints from different people can be added and there is no way to determine the difference. Likewise, a person could register a fingerprint for a different finger on multiple devices.
The encoding of a fingerprint is a "one way" data modeling that accepts the fingerprint as registered. The actual fingerprint data will differ, even before it's securely saved: it is only the application of this model onto the fingerprint pattern being applied that is useful.
Now, if there was a physically controlled device / system ..
An example of a physically controlled system might be usages of fixed terminals controlling single-person entry/exit doors (with security cameras and/or a physical guard) where people can only register a fingerprint in front of a trusted person after appropriate ID verification.. how much does it really matter? And what happens when a person climbs through a window?
Having the app take a detailed face / eye scan off a live camera and sending it in to a controlled server for some internal biometric-based verification might be some [draconian] half-way step .. I'd say "No Thanks" ;-)
On iOS, if something is protected by fingerprint or faceID, the developer can set an option that the data can only be accessed if the set of registered fingerprints/ faces is unchanged. So you could send a one-time code that the user puts in their keychain, and if the change registered fingerprints, it’s gone. Now if I registered fingerprints of myself and my three best mates, you can’t detect that.
I want to build an android app in which the attendance of the person can be viewed when the person touches the fingerprint reader. The fingerprint reader would be placed outside every classroom in the college. Is this possible through android app? If not possible through fingerprint, then kindly suggest any other alternative through android app.
This would not be possible directly using the fingerprint scanner on an Android device, as the fingerprint data is stored securely on the device, and not available to any applications. The Fingerprint Authentication API only provides whether or not a fingerprint registered on the device was touched to the scanner, it does not differentiate between individual fingerprints.
You should be able to use a third-party fingerprint scanner that connects to an Android device and does differentiate between individual fingerprints. A quick search lead me to the U.are.U SDK for Android, which seems to provide this functionality for their products.
Another option is to use a third-party mag-stripe card reader (provided the students have an ID card with a mag-stripe) that connects to an Android device, of which a variety of options are available.
I'm trying to add OTP functionality for sign in, in my android app. I'm using node.js for the backend. Now, first I thought about generating random numbers like math.random().
I can easily generate PTPs on my server side and I will store them in my MongoDB datastore then I'll match them when user enter the OTP, but now I came across these prebuild modules for OTP this one Speakeasy https://www.npmjs.com/package/speakeasy.
There are two types of methods HOTP/TOTP. I am asking why would anyone use these two and just not using random numbers.I mean what are the use of HOTP/TOTP? If anybody has designed OTP functionality in any app/website please enlighten me.
UPDATE
What is the general way of OTP authentication on any android device from the server I mean apps like zomato, Airbnb how do they do OTP verification of the user?
These OTPs prove "I am in possession of this device that generates OTPs."
In the broadest sense, it could be a statement involving a device that doesn't even have Internet access. HOTP and TOTP are algorithms that you can use offline. Both the device and the server generate the code independently:
code = f(shared secret, common info)
That shared secret only has to be set up once, e.g. by being baked into a hardware dongle or scanned in a QR code when you set up two-factor authentication. The common info is something that both the server and the dongle can determine each time you log in, e.g. the number of times you've logged in before or the current time and date.
Using an actual random number would require your service to deliver that random number to the device. Which if you're developing for an audience that has smartphones, isn't too wild of an idea. Google's two-factor authentication, for example, supports sending a notification to your phone and you just click a button to allow the login.
One more thing, a practical consideration: using an existing scheme like TOTP makes it easier for anyone trying to reason about how secure the system is. If they already understand TOTP, they can move on to examining other parts of the system you're building.
I need to know how to get the phone UID when read by an NFC reader. The reader has to uniquely identify my phone so that it can be used to open a door.
Do you know if this is possible? I've been looking and have not found how.
In the event that it isn't possible, what do you recommend?
The current Android does not support tag emulation, so I must assume you will be using some kind of P2P protocol when talking to your door. If the phone sees the door as a passive unit, thats the same.
A key insight in your plan is that you should encrypt the communication to your door, and that the encryption key is really what matters. Any unique id you come up with can be faked, no matter where it comes from.
I'd put the encryption key somewhere online in a properly stored file. So then you are also covered once you loose your phone or it just breaks.
My approach would be to make a Google App Engine app which lets you sign in using your Android (email) account; i.e. an app which signs the user in using the built-in Android accounts. Put the encryption key there, possibly behind yet another password.
There are different device specific numbers which you may use.
IMEI = International Mobile Equipment Identifyer, a number phones have specific for their hardware
Mobile phone number, this is depending on your mobile subsciption
There is also the ANDROID_ID, which is a unique number for a Android device. However there appears to be a glitch in V2.2
See also these articles:
How to find serial number of Android device?
Android Tablet Serial Number (not IMEI/DEVICE_ID/SERIAL)
Device SERIAL NUMBER