I’m making a web application and would like to have a secure area where you can only sign in with your finger print. My original idea was to just use a usb barcode reader and you scan that, and it outputs the ID into a text box, but that’s not very secure. So I want to use a USB fingerprint reader to maybe generate a hash for each person and store that in a text box instead. Which then will check that against a database with everyone’s hash value. Does anyone know if there is a fingerprint reader out there that can do this, or of a way I can easily integrate a reader into a website?
EDIT:
The Idea for this website is that it’s like a login system (Sort of like how you can clock in and out if you get paid hourly) The idea is that no one can sign someone else in and out. IF you just use a password, than someone can just tell their friend the password who can type it in. That’s why I thought of a fingerprint, or something similar… I’m open to other suggestions
Also, I’m using PHP
EDIT 2: The Basic idea, is I have to come up with a way to Prove someone was there by checking in. I don’t want to use passwords, because then someone can just tell someone else their password to type in. Any other suggestions? It doesn’t have to be fingerprints.
You can’t do what you want, exactly.
Fingerprints never exactly match. Even if you scan your own right index finger twice in a row, the scans won’t be the same. So “hashing the fingerprint” won’t work – two hashes of the same finger would be indistinguishable from two hashes of two different fingers (with a good, cryptographically strong hash).
Fingerprint readers work by storing some key onboard, and letting that key out if and only if the fingerprint given is close enough to what they expect. The fingerprint itself is not used to get direct access to anything outside the reader.
Sending the fingerprint as seen by the reader over the network is not acceptable – people are nervous about giving their prints to police. You think they’ll be OK giving them to you?
Also not acceptable is having the reader say “finger 2 is OK”. This could be easily spoofed.
Instead, have your user use X.509 (SSL) client certificates to access your site. They may, if they wish, control access to their private key via the fingerprint reader.
EDIT: updating this answer. There is, now in the year 2014, a standard from the FIDO Alliance called “UAF” which allows sites to use fingerprint authentication in a way that works across different sites. Rumor has it Paypal is going to begin using it soon.