Please look within Debian/Gnome for the possibility to include a fingerprint reader as an option for Librem products. Is it feasible? What hardware requirements do we have to include for v4? How difficult will it be to maintain going forward? Any information or opinion that you can provide would be beneficial.
Description
Event Timeline
As promised, I did a bit of research into these. The general consensus is that fingerprint readers are essentially insecure devices that give a false sense of security.
There has been quite a bit of research by named Starbug (of CCC.de) and they outlined in two very good talks how to fake pretty much all the readers on the market for a few dollars:
http://www.ccc.de/updates/2007/umsonst-im-supermarkt?language=en
ftp://ftp.ccc.de/pub/documentation/Fingerabdruck_Hack/fingerabdruck.mpg?language=en (tutorial)
So, I think it would *look* good but I don't think we should be in this security theater business.
Thoughts? :)
What we need to determine is if it is "doable" under Gnome/Debian with a reasonable level of security on par with iOS, Android and Windows (as examples).
You raise excellent points which also line up with TSA/Law enforcement rules regarding unlocking a device with biometrics vs. a pin or password. In short, enforcement can theoretically "force" you to unlock a device with biometrics but not with a password or pin. Also of importance and in relation to this issue is if it can be turned off in settings to revert back to a pin/password. In essence, to make it optional. Those that don't which to use biometrics can disable it and those that want them can enable it.
I see both sides of the argument and would like us to be able to offer the option.
I'd also ask that this be moved from "wish list" to a higher level or priority as we are revising the v4 laptops and nearing the hardware stage for the Librem 5. I need this information gathered and decided upon soon or we'll have to punt this consideration to the next revisions.
Jumping somewhat to a reasoned conclusion, given that the security for the most-common devices in/around the free software ecosystem (ie. Thinkpads) do not provide much security there has been a correspeonding lack of activity and effort put into the software.
Therefore, even if we managed to find an amazing hardware device and integrated it with a hypothetical Librem V4 there would simply be weak-to-terrible integration into the PureOS desktop requiring non-trivial dedication and time to write such integration that would — given the lack of devices mentioned above — would (and could) not be adopted across the free software ecosystem.