I have an HID card reader which a user will swipe. This will identify the user for traceability purposes. The cards have only a card number which I use to query a time clock db to get their name and employee ID number. THe card reader is a USB one which simply spits out it’s value as the keyboard.
Question is: Is there any way to prevent the user from entering data from the keyboard and only excepting input from the reader? I’m trying to avoid having to maintain any other information like passwords and such. I’m using Windows authentication otherwise and most users/operators do not have accounts. Thanks for any ideas.
The way I built it was a bit of work, and there could have been a simpler method I overlooked.
Issue is my clients were Linux, but perhaps something similar could have been done in Windows with AutoHotkey or something.
Ignition was set to auto log in with a nobody user that had no rights. I wanted the users to be able to login with their username/password, but also via an HID proxcard reader. I wanted the card reader to bypass password authentication, but I also did not the employees just entering their prox card number via keyboard and no password.
I wrote a python service that used the evdev library and captured all proxreader input. When a card was read it would take the chars and perform the following:
Send Ctrl-L as keyboard input (So Ignition would open my custom login box)
Send the proxid number
Send Tab (to move input to pwd field)
Send computed and hashed password
To avoid the users being able to open up a text editor, swipe a card, and capture a hashed password they could reuse, I had to have the password hash change. To do this I appended the current Unix time integer divided by 30 to the card id and a static random string I made up.
On the Ignition side I made up an authentication SQL query that looked up the card id to username relationship, and checked the password. For checking the password I had the WHERE check if the hash that came in was equal to what the hash should be (in other words, I had it perform the same calculation as the python service). I had it check 30 second time blocks around what it calculated in case the clocks were a little off and/or the card was swiped right before the 0 second mark.
As I said before, there very well could have been a much simpler way, but this is all I could come up with to remove the need to enter a password and have it still be (what I hope is) secure.