Biometric Authentication For SharePoint


So, I am currently shifting jobs (I am going to be at Shaw AFB as opposed to Eglin doing a SharePoint project for CENTAF) and I had some time to investigate using biometrics with SharePoint. I don’t have any fancy biometric reader, the only thing I have was left over from a past .NET integration project made by Precise Biometrics (the Precise 100 XS model). It looks expensive, and to be honest I have no clue how much it is worth. I was a little freaked out because I have spilled coffee on it like 16 times, but it looks like it still works enough.

Because this is the only device I have available, what will be introduced during the duration of this post should work with anything that adheres to the Precise BioMatch™criterion. The same paradigm could be applied to other Biometrics, but the Precise Biometrics was the only API that was applicable to my current experiment.

I am not a biometrics expert. So don’t expect any revelations to come from this post or from the provided code. I was just playing around on a Wednesday afternoon with something I thought would be interesting, it’s only a proof of concept (please keep this in mind). There are plenty of university and professional security research labs that can give you more detailed information about the concept of biometrics that are most likely more sophisticated. The explanations placed in this post were recalled from a security class in college, so are not exceptionally stunning or provide granular insight. It is just always something that I found interesting, and wanted to build a tangible use case for in my little lab. It works for building biometric SharePoint authentication solutions, and that was really I wanted to achieve.

So, let’s get started…

The most secure way to authenticate to any principal to a mapped resource can generally be considered to be a tangible object that no one can replicate, although this concept is near impossible to construct and maintain. The concept of biometrics affords us a step toward this verification feasibility (well, some mechanisms of biometrics do). Biometrics, and its related studies, really does uniquely bind a subject to a specific resource IMHO (you can think of biometrics as kind of binding the physical to the digital). Authentication to critical business data is something that SharePoint provides, and the mechanisms in place for this should be as strong as possible, right? Why aren’t we using biometrics then? Because a biometric implementation can get frickin complicated! Not to mention, unless there is an existing Biometric Security Infrastructure (BSI), the cost threshold for implementation can be substantial depending on the biometric scheme used. But that’s why I have developed BioPoint – The Biometrics for SharePoint (and .NET 2.0) SDK. The SDK is written in completely managed code (C#) contains no ActiveX or any of that crap. You can simply integrate it into a custom application for authentication reads (as you will see at the end I am doing with SharePoint), or integrate it into pre-existing business application for biometric authentication.

Biometrics, as opposed to other strong authentication types (I consider strong authentication types as things like physical tokens), such as SmartCards, are generally a much improved mechanism because SmartCards are generally lost, stolen, or destroyed (I have accidentally flushed one down the toilet, then tried to plunger it out, I didn’t retrieve what I wanted). Physical tokens are subject to loss, use by unauthorized parties, or any number of other scenarios. Although they are stronger than knowledge type authentication, which uses something like a passphrase, they are still subject to several misc. actions happening against the token. Because biometrics just natively exists on the principal (which is just another word for a user, which comes up in the SDK as well for several delegates and method names), they can’t be lost, and exceptionally difficult to fabricate (depending on whether they are physiological or behavioral as you will see shortly).

So let’s talk a little bit more about biometrics so we can get a better idea of how we can use this, and get an idea of the overall study of biometrics. At the end of this post you can download the SDK and use it for whatever you want (Well, within the realm of a fingerprint reader for .NET using a Precise Biometrics reading device).

Biometrics, besides being expensive, are easily the most walled defensive barrier that can be placed in front of business systems that contain sensitive data. They are especially prevalent in thin client environments (such as those with SELinux using a TCS operating system or the same type of ware) where there is little authentication possibilities, due to emphasis on software de-bloating. Although biometrics for most people immediately sparks the idea of a James Bond movie where he puts his hand on some scanner that reads his palm print and gets access to the nuclear missile saving the world, the concept of biometrics obviously goes a little deeper.

The entire field of biometrics instead abstracts a human (principal) as an object, and thus allows the definition of all the properties that human can contain through the mapping of their traits, or traits that could be considered human. This implies that biometrics can also encompass the field of human behavioral criteria, since this would be considered a human trait. I am not talking about how many times a person twitches or some crap like that, but rather tangible traits like how a person types on a computer. This is often referred to as behaviometrics, which is often considered a split, segregated study of biometrics as some specialize solely in this. Because of these split differences, it is easy to segregate and analyze the differences between the two, which provides better insight into both fields of study.

Traditional bioinformatics would include studies such as hand geometry which will analyze and define a user by the overall shape and structure of their hand. Because a hand is somewhat unique and the dimensions of its geometry rather empirically measurable, it is easy to store these parameters on file for an argument comparison for later authentication mechanisms (it actually uses a device called a hand geometric scanner, very easy to remember!). Hand geometry is generally one of the neatest fields of biometrics to study because it demands that multiple segments of the hand be analyzed. But why measure the whole hand when a fingerprint is unique? And, hey, what a minute, can’t people’s hand dimensions be the same? That is true; the geometric dimensions of a hand can certainly be the same, in fact it wouldn’t be that abnormal. However, there are two reasons why people choose hand geometry. The first is that it is not very intrusive toward a user privacy because it does exist at this level of non-specification, and the data collected is rudimentary and generally easy on storage since it is so quantifiable and allows for easy casting. Secondly, just because you are using hand geometry doesn’t mean that you are limited to use the overall geometric proportions as the sole parameter for the authentication matching. Rather, hand geometry could be used in combination with fingerprinting (which is generally good because fingerprint scanning usually requires frictional skin to be present, so there is fallback). Moreover, you can take so many quantifiable dimensions from a person’s hand since there is a load of empirical data that can be collected.

Unfortunately, I will admit that hand geometry does kind of play into James Bond movies, because the study does not take into account whether the tissue is currently is living or not. Therefore, fake hands can be used, or cutting off another person’s hand (I don’t remember what movie it was, but it was the one with Halley Barry with a great red suit on, meeeeeoowwwwww). I would go with the fake hand!

Regardless of whether you know it or not, you also see biometric data being used on TV shows all the time like CSI, where they rely on Forensic DNA analysis.

With Behaviometrics, we are looking at something completely different than something such as hand geometry. Although the term sounds pretty fancy, we are used to seeing the most prevalent behaviometrics example every day, a user signature. Because a signature is not something that is predefined based on genetics and inherited attributes that are unique to a user, but rather can be related to a behavioral pattern, it is considered to exist in the field of behaviometrics.

The most recognizable, as well as the one that we see in the movies the most, is voice patterning (a combination of Voice Recognition [ which involves pitches and tones, blah blah blah) and Pattern Recognition). Voice recognition is pretty interesting because it involves using several facets of a person such as rhythm of their vocal cords and the concavity of their mouth which results in the ending sound that is passed into the conditional decision hardware / software. Usually voice recognition is accomplished through the creation of a voice template that gathers its arguments from a subject’s vocal tract. In order to deal with variations, the subject is generally required to repeat statements several times, which are merged into the end template. This template is then used for subsequent matching for access attempts by the principals to subsequent resources.

The one that this post is going to focus in is probably the simplest and most common biometric system that is commercial use today, an automatic fingerprint identification system (AFIS). This is just fingerprinting, but I prefer to call it AFIS because it makes me sound smarter.

I chose this route because I have no other hardware to facilitate something like a hand or iris scan, don’t feel like buying one, although it would be interesting to study and program against an API if I had or could afford one. I can’t imagine how much it would cost though.

Fingerprinting is generally the most matured technique and has been around for a well. Although everyone reading this probably knows what the concept of fingerprinting is, it is basically taking the ridges (also known as friction ridges, these have sweat glands as well), furrows, and minutiae points (kinda just like characteristics) as parameters. Friction ridges are an important part of fingerprinting because they are genetically defined.

Beyond all this crap, instead of doing traditional WebPart development which tends to be cyclic and dull as hell, we get to feel like we are developing a SharePoint instance for a James Bond!

The first thing is what you are going to be developing if going to be a WinForms application that will make a call from the login.aspx page, kinda like how CardSpace invokes the identity selector in order to select an InfoCard. I don’t know how the CardSpace identity selector captures and paints a private desktop, but once I do figure it out I plan on adding it to the API as a callable event (if you know how to do this extreme type of modal mode please contact me).

In order to authenticate the user with a fingerprint to SharePoint, there are several objects that have to be taken into consideration. The first is to detect whether the fingerprinting is currently active and to define the time that the reader should query to determine whether a fingerprint is currently on the reader and Defining the status of the reader, whether it is reading or whatever. The next are a set of ratios. Ratio-wise we have to detect the ratio of the quality of the fingerprint snapshot and the ratio that the match should be heightened to (kinda like the quality standard). This will play into the computations since it will affect false accept rate (FAR), false reject rate (FRR), and equal error rate (EER). Lastly, for pattern matching we have to acquire the last fingerprint template that has been presented on the reader. Nothing real fancy. The methods are really simple that are included; you either start or stop the scanning, and then do the template comparison for the entered data.

So, what the hell can I do with this SDK? (this should probably be your first question) My main purpose in starting it with this experiment this morning was to get it to authenticate my fingerprint after a mapped template match to SharePoint, so that as opposed to using a username and password, my provider for CardSpace and SharePoint, whatever other mechanism, I could instead I stick my finger on my reader and I would be redirected to and authenticated to the portal while maintaining all the associated provider bindings, such as those for a custom role provider I was using.

The first thing that I had to accomplish was done through querying some hardcoded values in an XML .config that are read from the WinForms Smart Client. Since I am still working on the invocation of the client from the SharePoint environment , I hard-coded the relevant site and web objects in the related client code for the web response and passing of the authentication credentials. Although this isn’t generic enough to be considered an elegant practice and certainly not acceptable for enterprise coding standards, I plan on fixing this in the future, I am currently planning on how to handle that. These values will be used to open and map the appropriate authenticate to my relevant SharePoint instance that I am using for testing.

Opening of the SharePoint configuration elements from local XML file for relevant object reference

Once the configuration file has been queried and the relevant values have been passed into the custom code that taps into the BioPoint SDK, the appropriate methods are called in order to commence the appropriate readings through the Precise Biometrics API and some custom code. Once this method is started, I can place my finger in the reader, and I see that my finger is read! (obviously, I didn’t want my fingerprint being on available on the internet, so the actual picture below is distorted)

Finger being read (distorted to protect my privacy)

Within the code for this test application, I have a custom event written that will call a delegate to open the relevant SharePoint site, passed pattern matching as provided with the SDK, with my login, and the SharePoint instance opened successfully. Any other authentication tie in that you have, such as role provider, should be maintained just fine.

Opening my SharePoint Site (which results in the WinForms client being shut down just using a this.Close())

Then, once you get the client developed you can deploy it however you want be it ClickOnce or whatever. I used QSetup Composer to create my setup package, because I am just used to it. Obviously, you could use the inherent Visual Studio setup project to do the same thing, but I like QSetup. Either way, until there is a way to invoke the client directly from the page in a similar fashion to how CardSpace does it, you have to make an easy to use mechanisms that your users can understand.Opening the WinForms Smart Client authentication module

In regards to building something similar, I am just using the standard SDK to accomplish all of this, and you can too!
The first thing that you have to do is establish a reference to the BioPoint SDK assembly buenz.BioPoint.SDK to get access to the BioPoint code, and then set up your using statement:

using buenz.BioPoint.SDK;

In regards to the fields that have to be setup, the most important one is obviously the BioPoint field.

private BioPoint bioPoint;
private short incrementalFlag;
private byte[] fingerprintTemplateData;
private PictureBox fingerPrintDisplay;

You are also going to use a PictureBox in order to display the captured fingerprint image. I can use the incremental test numeric in order to build the relevant step tests in order to determine what step the user is at within the fingerprinting application. Using the incremental test field, you can just set up a simple switch case to display messages to the user based on whatever step they are in within the wired handlers, something like if the principal hasn’t put their finger in the reader yet:

this.incrementalFlag = 0;

We will see its use a little more when we get to the template comparisons. Within your constructor, you are going to want to set the flag to 0, this.incremetalFlag = 0;, because you are at the first step!

I am going to decorate the BioPoint and PictureBox with AccessedThroughPropertyAttribute so I can specify the name of the property that accesses the attributed field.

private BioPoint bioPoint;
private PictureBox fingerprintBox;

Then I am going to set up all the property values within InitializeComponenet.

private void InitializeComponent()
this.bioPoint = new Buenz.BioPoint.SDK.BioPoint();
this.bioPoint.Quality = 127;
this.bioPoint.fingerprintMatchingControl = 1;
this.bioPoint.fingerprintReaderEnabled = true;
this.bioPoint. fingerprintTimerControl = 1500;

The most important thing (this can be truncated to reduce code bloat, however I am demonstrating this property as much as possible with extended get or set accessors) is to setup the BioPoint object properties.

When decorating the set accessor for the bioPoint object properties, I am going to setup my relevant event handlers.

+= new BioPoint.principalOutEventHandler(this.bioPoint_PrinicpalNotDetected);
+= new BioPoint.principalInEventHandler(this.bioPoint_PrinicpalDetected);
+= new BioPoint.errorOccuredEventHandler(this.bioPoint_ErrorsDetected);

I am initializing my new fingerprint object, and set its properties. In this case, I am setting the quality of the capture to the highest value, setting the time milliseconds at 1500, and setting the MatchingControl to the highest level.

Then you can start to script the relevant methods that were wired in the properties. The first thing that you have to do is setup the fingerprint template in order for the comparison operator to function. This should be done with a switch/case, which I have truncated out for readability purposes. You can see that we are using the incrementalFlag integer in order to control the code execution flow.

private void bioPoint_PrinicpalDetected ()
this.fingerprintTemplateData = bioPoint.fingerprintTemplateParams;
this.incrementalFlag = 1;

Then, we have to actually do the comparison and then do something with it, which can use the verifyFingerprint method out of the BioPoint SDK which will take the template as a parameter for the comparison too occur.

if (! BioPoint.verifyFingerPrint(this.fingerprintTemplateData))

Then you can branch to whatever display that you want based on the execution of this.

You can download BioPoint SDK here, and the API documentation is available here. If you do anything with it, please let me know. I would be interested in what applications that you use it for. As well, if you have any suggestions for how to improve the SDK, let me know so I can make it better. I have mentioned some of the things that I will improve in it in the future, and obviously a point of contention would be to make it more agnostic, so send me the fingerprint readers that you use at your organization so I know where to go from here!

Like I said, just for fun, so have fun with it! As with all the freeware for SharePoint I release, I am always open for comments and suggestions on this topic.