HOWTO: T42p fingerprint-reader instead of boot passwd's

Message

Master One · #1 Post by **Master One** » Sun Feb 13, 2005 11:24 am

I understand, that it is possible to configure such a machine, so that it asks for a fingerprint authentification on boot.

Where is the data for this stored?

I mean, does this also work, if I remove the WinXP and hidden partition (as I want to install Linux as my only OS)?

Master One · #2 Post by **Master One** » Tue Feb 15, 2005 4:32 am

Ok, got it do exactly as I intended.

For anyone who is interested, as it indeed was a little tricky:

1. Activate the security chip in bios, as well as "fingerprint pre desktop use", set the security option for the fingerprint authentication to "normal".

2. Still in bios: Set the following to identical passwords: supervisor, power-up & hdd-access. If you want it extra save (like me), also enable "passwd after hibernation".

3. Run the IBM Fingerprint Control Center in WinXP, read in the three fingerprint samples for each person (use middle-finger of right hand for more accuracy), who is intended to use that machine. These are stored in the security chip as keys (each person = one key). Activate the use of fingerprint on boot by ticking the shown option.

4. Power down the machine.

5. On next start, you will be asked for the fingerprint. After positiv identification it will ask you for the power-on passwd, which you enter now once (this has to be done once for each person using that machine). As it's identical to the hdd-access passwd, it will automatically use it again.

6. That's it! On next machine start, it will ask you for your fingerprint, and on positive identification, it will automatically fill in the passwords for power-up & hdd-access. If authentication fails, it will ask you to enter the power-up passwd. Fingerprint authentication will also work for accessing the bios, if you enabled the bios-passwd-protection (as this is done by the supervisor passwd, you can prevent users to enter the bios by fingerprint ident, just by setting a different passwd for the supervisor).

The cool thing is, this works now completely independent of the used OS, so now I can wipe WinXP, install my favorit Gentoo Linux, and still use fingerprint authentication.

Zeitgeist · #3 Post by **Zeitgeist** » Tue Feb 15, 2005 6:12 am

Thanks, excellent instructions! Should go to the T42 faqs.

Master One · #4 Post by **Master One** » Wed Feb 16, 2005 7:51 am

Hm, could not find any faq section on this forum, so I just edited the subject of this topic to be more accurate.

#5 Post by **JaneL** » Wed Feb 16, 2005 9:46 pm

>Hm, could not find any faq section on this forum, so I just edited the subject of this topic to be more accurate.
>

It's cleverly hidden in the first section and is called "READ ME FIRST FAQ then post".

Leon · #6 Post by **Leon** » Wed Feb 16, 2005 9:56 pm

you're evil nonny, but I like it!

#7 Post by **JaneL** » Wed Feb 16, 2005 9:57 pm

davidspalding · #8 Post by **davidspalding** » Tue Jan 24, 2006 9:59 am

Others have asked, so I thought I'd append it here.

The current version of the Fingerprint software offers the option to login to Windows using the power-password/fingerprint authentication. If you want to hide the "Ctrl + Alt + Del" prompt, and have only the fingerprint prompt to appear as the sign-on prompt, you can find the setting here:

Run the Fingerprint Software ... Settings ... Logon Settings ... "Do not show CTRL + ALT + DEL hints in log-on screens."

This can be very handy if you log out of your session, then hibernate, and have "password required on resume" enabled in the laptop power settings.

#9 Post by **RonS** » Tue Jan 24, 2006 12:40 pm

The security you get with the BIOS password/fingerprint is better than that with the Windows password/fingerprint.

When you use the BIOS password and/or fingerprint to assign a hard disk password, the hard drive is locked down until authenticated. If someone takes the HDD out of your thinkpad and puts it in another computer, it won't work. It's very hard to bypass this security. With a Windows password, it's no problem to mount the HDD on another computer and read it as an extra drive.

Also - you don't have to set up a supervisor password for this to work. All you need is power-up and HDD access.

icantux · #10 Post by **icantux** » Tue Jan 24, 2006 1:14 pm

Is the fingerprint info then stored in the BIOS or some hidden partition on the HDD? Lord forbid anything from happening to the fingerprint reader and you forget your password...

davidspalding · #11 Post by **davidspalding** » Tue Jan 24, 2006 4:21 pm

As I'm sure has been said many times, when you apply BIOS passwords of any kind, particularly with HDD passwords, you need to write it down and keep it very, very secure. Minimum of a fire-box in the home or office, ideally in a safe deposit box or secure off-site escrow location.

You just don't want to be in the situation of someone who recently set one, locked down his HDD ... then a day or two later couldn't remember it.

rssb · #12 Post by **rssb** » Thu Jan 26, 2006 1:15 pm

Is there any hope of adding power-on password security via external usb fingerprint scanner in future bios releases for T4x series.

The thinkcentre desktops seem to support this already, looks like the usb driver/support for the FP scanner needs to be added in the bios.

HOWTO: T42p fingerprint-reader instead of boot passwd's

HOWTO: T42p fingerprint-reader instead of boot passwd's

Who is online