Fingerprint and card readers with Firefox

Some laptops, such as from HP, come with fingerprint reader options. I have never seen this in action, but as I understand it, you can swipe your finger and it will automatically fill in any password field for you.

On the web, this means the fingerprint reader must look through the page for password fields. HP apparently reuses something from Bioscrypt, called Verisoft, which was purchased from Cognizance. It actually reuses the accessibility API on Windows to look for password fields. Specifically, it must go through the MSAA tree looking for objects of ROLE_TEXT with STATE_PROTECTED.

Believe it or not, I learned this by investigating a mysterious crash. Since crash-stats isn’t handling most of my queries, it’s been difficult. But, by looking at Modules, I noticed that a foreign DLL called APSHook.dll was always present. Some Google searches led me to Spyware sites describing which company is responsible for what DLL. The maker was Cognizance Security. Errors in their site led me to suspect they were a dead company, and but I was able to finally find an article about them being purchased by Bioscrypt. Further searches for Firefox APSHook reveals people having all sorts of problems with sluggishness, lock ups, stack overflows, extra memory usage etc.

I don’t know why the crash occurs yet, perhaps they don’t do an AddRef() where they need to, or perhaps we’re broken somewhere. Apparently the feature used to work in Firefox 2, although not officially supported by Verisoft.

I called Bioscrypt support and they told me that Firefox isn’t supported (which doesn’t stop them from injecting a DLL that makes us crash). They promised to forward my email to the developers, so I’ve sent them the information. I’m not holding my breath, but well see what happens. I’m sure HP is interested in letting their users enjoy Firefox 3. HP users who purchase the fingerprint reading option can’t use it with reliably with Firefox 3. In general, web searches for Verisoft Firefox reveal that many users are frustrated about incompatibility with Firefox 3.

In the meantime, isn’t there generally a better way to support fingerprint readers and other single sign on products, than to use MSAA? It’s not cross-platform, and it doesn’t integrate with Firefox’s password management. Also, the Firefox accessibility support does take some memory and slow things down, because it needs to create a lot of objects and event listeners in order to function. That is why it is turned on only when needed. Using that for password management is overkill. There must be a better way. If you’re interested, please see the fairly old ignored bug on integration with fingerprint readers. It has a few dupes and votes, but not enough to get it noticed.

For my part, I’m just interested in fixing the crash. Looking around the web though, there are a number of users torn between Firefox 3 and their fingerprint readers. It would be good if someone took an interest.

Advertisements

4 Responses to Fingerprint and card readers with Firefox

  1. Ritchie says:

    There are other products like Upek that attaches to a USB port, but I’m not sure about a dev. API !

    You can find them at http://www.upek.com !

  2. David Bolter says:

    Wow, great detective work Aaron! Thanks for sharing.

  3. Mook says:

    Unfortunately, MSAA is the (AFAIK) only stable API Mozilla has to interact with other applications, probably because it’s not a Mozilla interface. The alternative would have been to write an extension and communicate via TCP/IP or similar (but that would have required updating for every release).

    • aaronlev says:

      Mook, Mozilla is often a driver for standards or pseudo-standards. The alternative is really to come up with an appropriate API and share it among browser vendors.

%d bloggers like this: