User Verification for WebAuthN
While working on FIDO2 Authenticator device I came into an interesting problem - User Verification. At the moment it is implemented really simple - just a button connected to the IO0 port. However, anybody is able to push this button and therefore authenticate with the device. Then I came to the idea of adding some biometric authentication for the user.
I have ordered two fingerprint sensor modules capable to perform the user validation.
The first one is the GROW R300:
The second one is the FPC1020:
Both modules operate at 5V, have UART interface to communicate and their price including delivery is around 12€. Modules have STM32 MCUs on board to implement all required operations from storing fingerprint data to authenticate users.
What I like about these modules is that it’s relatively easy to add user verification procedure to my project. What I dislike is that simple Arduino based sketch can simulate a fingerprint scanner like this and become an easy way to hacking the security of the device - one can just replace the scanner module with this Arduino device.
However, the R300 module seems to provide a way to transfer the scanned finger image to the MCU. It closes the security issue, but means need of writing own fingerprint recognition and matching algorithm. But then I do not need the MCU located at the module itself, all I need is the actual fingerprint scanner to scan and process images.
So, at the moment my plan is - try to implement fingerprint scanning with the R300 module and try to find algorithms for authentication and validation. If I succeed I plan to desolder fingerprint scanner from the module board and try to communicate it directly, without MCU in between.