For example, I have a web site with authentication. Is there any fingerprint API, that can be used from JavaScript, to login users? Mobile OSs like Android and iOS has such API. So at least mobile version of browsers, in theory, can provide such functionality. But I can't find any information on the web about it.
Asked
Active
Viewed 1.3k times
21
Vladimir Liubimov
- 795
- 1
- 9
- 14
-
You cannot use the raw data of scanned fingerprint from the mobile's fingerprint scanner. They are stored in the hardware memory and not accessible for extraction and storage. You can only use the fingerprint scanner to authenticate the user with previously stored fingerprint data. – Mohamed Sa'ed Jan 22 '18 at 12:15
3 Answers
6
Chrome 70 Beta, announced September 13, 2018, introduced web authentication.
Also enabled by default are macOS's TouchID and Android's fingerprint sensor via Web Authentication. These allow developers to access biometric authenticators through the Credential Management API's PublicKeyCredential type.
Pat Needham
- 4,755
- 5
- 35
- 54
3
It is something that is being looked into. Currently, there is basic support in firefox and chrome: https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API
rik.vanmechelen
- 1,844
- 17
- 24
1
Im gonna guess they dont want websites to have access to the fingerprint and iris scanners because they could potentially be used to steal peoples identities in a much worse way than just a stolen password (you can change a password but your fingerprint and iris are pretty much unchangable).
Whenever you start looking for this type of functionality and cant find it ask yourself what possible malicious stuff can be done with it and you'll probably be able to guess why it isnt available.
Simon Hyll
- 2,342
- 3
- 19
- 33
-
What I was thinking about, is to protect user's cookies. For example, when a user is logging on my website using his device by the first time, the website tells to the browser that some cookies must be protected by fingerprint checking. Now every time the user tries to loging on the website, browser is poping up fingerprint confirmation dialog. The fingerprint is checked by the device itself. And if it is failed, the cookie will not be passed. The website can only check the presence of the cookie, and has no access to fingerprint data. – Vladimir Liubimov Jan 31 '18 at 07:00
-
I understand you probably don't intend to use it maliciously, but when "they" plan new features for browsers they have to consider the worst case scenarios. If all people were good we'd all have admin rights to everyones computers all the time. Since not everyone is good they have to consider the worst way a feature can be used, and this feature could potentially be very hazardous. I don't think you'd do something bad with it, I'm just saying that's probably the line of thinking the "higher ups" have regarding this type of feature. – Simon Hyll Feb 03 '18 at 01:14
-
Also, that kind of usage of such a feature wouldn't make your site any more secure since it's still only creating and verifying the cookie on the users end. Encrypting cookies is something you can do already, using a fingerprint is just one extra variable in the encryption process. Look into moving more and more of the verification to the servers end, anything that's on the client side can be faked and isn't considered secure pretty much ever. Fingerprinting wouldn't make your site more secure, it would just make the user think it's more secure. – Simon Hyll Feb 03 '18 at 01:19