Fingerprint Authentication [Introduction]

in #utopian-io7 years ago

Fingerprint Authentication

This project uses the fingerprint sensor on android phones and networking magic to authenticate you to services using your fingerprint!

What's this project?

This project is basically a password manager, storing credentials and keys on your phone (encrypted), and sending them to the required service when needed.
Current Features of the project:

  • Windows Login
  • WebSite login
  • (currently working on) 2FA for website owners

The idea behind this project is to provide a really secure easy way to authenticate to services. Your fingerprint is easy to use (just touch a sensor) and it's secure, because it's unique to you.
The application consists of 2 main parts the PC App and the Phone App

What's inside/behind the scenes

PC Application

The PC App is written in C#, built with .NET Framework 4.6.1.
External Dependencies:

  • BouncyCastle.dll, I need this because the app generates key pairs on the fly
  • QRCoder NuGet package, I need this to generate QR Codes (more on this below)
  • ZKWeb.System.Drawing, this is a dependency of QRCoder

The PC app is the middle man between the phone and the services you authenticate to.
The windows locking service is provided by the PC App.

QR Codes

QR Codes are how android knows which host to connect to on the network. The android app scans the QR Code, which contains the destination address, port, and the requested resource.

Android Application

This is where you authenticate with your fingerprint and send data to the PC App.
The Android App is written in java targeting the minimum version android: API level 23 (Android 6.0),
maximum version android: API level 26 (Android 8.0).
External Dependencies:

  • com.google.android.gms:play-services-vision:11.8.0, I need this because of QR Code recognition, gradle should download this automatically

It uses other built-in android APIs including:

  • Camera
  • Key storage/Key generation
  • Shared preferences
  • Fingerprint authenticator

How the protocol works

Warning: this is a bit too much technical section.
The PC App shows a QR Code on the monitor it was started on. A server is constantly listening for connections in the background on port 9624. The Phone App, then scans the QR Code, which has the required data for initiating the connection.
Data is formatted like: IPAddress:Port Number-Requested Resource.
The client the connect to the IP:Port given with the QR Code and sends the Requested Resource string to the server.
Before sending the Requested Resource a handshake takes place (more on this below).
The server then starts a new session and stores the request string.
The client searches the requested resource and:

  1. The resource isn't found, and return an error
  2. The resource is found, prompts the user to decrypt with fingerprint

Then the user can do the following:

  1. Touch the sensor, and let the authentication continue
  2. Cancel the prompt, and abort the authentication

This is the cycle that happens over and over again.

Handshake

Warning: this is more technical than the previous seciton :)
The server, at it's first start generates a public/private key pair.
When the client connects, the server send in clear text the public key.
Then 2 things can happen:

  1. This is the first connection, client accepts the key, and saves it
  2. This isn't the first time, client checks the public key with it's copy
    Then 2 things can happen
    A) Keys match and the protocol continues
    B) Keys doesn't match and client closes connection

The client the generates a random IV and Key for aes encryption.
Then it concats and encrypts the IV and the Key with the received public key.
Then it sends the encrypted data to the server.
The server then uses the Private Key to decrypt the data, and generate the AES Cipher.
Then the data sent is encrypted/decrypted with this Cipher

What next?

This project has a big future in my eyes. It's safe, secure and easy to use.
So I want to support this project with as much as I can.
Future Ideas:

  • Password Management
    • It's already on github, but I'm releasing it on Utopian in 1-2 weeks.
    • It will be just like a normal password manager, but with the fingerprint and QR Code element
  • 2Fa or 2 Factor Authentication
    • I think this project has the potential to become a 2Fa framework
    • This isn't on github, first prototype developped, releasing it sometimes after the Password Management
  • If everything goes well, and this project gets picked up, we need to make it available
    • For the PC App we'll need Win10 support and to upload it to the Windows Store
    • For the Android App we'll need to upload it to the Google Play Store
  • In case of getting really big an IPhone app might be needed
    • This is very very far future, but if this project gets picked up, then we'll need to support IOS too!

How to contribute/help

First off, every contribution is welcome, doesn't matter if it's an issue or a PR.
I wrote a great contribution file on both of the project's github page:

But here's the short version of it:

  • Any security/vulnerability help is welcome
  • Optimizations and new language features are good to have
  • My UI/UX is crap so I badly need UI/UX People, especially logo designers!
  • Testing/Support is a must!
  • Translating is a must to get big!

Summary

This is a fingerprint authenticator project. Based on a Client-Server model.
Implementing cool stuff like: Password Management and 2Fa
Everything is based around touching the fingerprint sensor.
Huge potential (at least I think), needs to support a lot of tech stacks, systems, cultures.
We need to make sure it runs, runs fast, runs secure and is beautiful.
Most importantly this project needs love and support!
Thank you for checking out this project!



Posted on Utopian.io - Rewarding Open Source Contributors