Howdy - Face authentication for Linux

Markus Kolb -

A few days ago I've added a little bit of OpenCV-based Artificial Intelligence to my Linux laptop.
I've been wondering about the password prompt and ever and ever typing in this password after resume from sleep. But auto-login without password doesn't seem to be a good idea for a laptop.
So there is this small web cam above the display and I've found the Howdy-project which provides a plugin for the PAM-framework of Linux. At the moment there is only a Python version, but it is quite performant and works.
Howdy detects users' faces in front of their computer with the help of a webcam and log them in without password.

Well, on OpenSUSE not just out of the box.

There is a link to OpenSUSE wiki which points to this OBS RPM repository.
But these packages doesn't work at the moment of writing this in my environment. The python-dlib version is outdated and there are some other bugs in packaging.
So I've fixed this in my repository branch.
My branch would be merged to dmafanasyev with requests 903870 and 903869.

Because you could also install python-dlib with pip3 the python3-dlib RPM is only a recommendation. But the RPM is comfortable.

Installation

Now you can install the 2 fixed RPMs with your package manager.

It will provide the howdy command line tool and the PAM plugin.

Permissions

The users in need for video/face auth have to be allowed to access the webcam device. This should be done with adding them to the Unix group video (if not already done).

sudo config (default variant)

Also by default howdy needs sudo permission to run it as root by the user.

This could be done with the line
%wheel ALL=(root) NOPASSWD: /usr/bin/howdy *
in /etc/sudoers.

With this example the user needs to be also in the wheel group.

pkexec script (alternative variant)

#!/bin/sh
export PATH="/usr/bin:/bin"

pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY howdy "$@"
exit $?

Configuration of howdy

The config is in /usr/lib64/security/howdy/config.ini.
The following settings I've changed from the default values:

# Print that face detection is being attempted
detection_notice = false

# Do not print anything when a face verification succeeds
no_confirmation = true

These two settings make problems with the xfce4-screensaver locking if you use it with defaults.

And of course set the

# The path of the device to capture frames from
# Should be set automatically by an installer if your distro has one
device_path = /dev/video0

for your device.

Test your setup

Now run howdy test or your pkexec script.

A small window should pop up and your webcam should be activated and its view should be shown in the window. A red circle is going around detected faces.

Howdy Test window example

Detect your own user face

Enter the command howdy add and follow the description on screen to add some recording data of your face to a local database /usr/lib64/security/howdy/models/$USER.dat.
I've also created a symbolic link root.dat -> $USER.dat on my laptop.

Some traps of face recognition

It is good practice to repeat the howdy add at least 5-10 times for each situation.

In situations I understand...

  • With/without glasses
  • Different spatial environments
  • Different day time/light situations
  • Different makeup, stylings

If the beard is shaved you'll need your password and howdy add your new look. ;-)

I've now around 25 face models added for my user. The list can be shown with howdy list. (Help with howdy --help)
It is recognizing my face about 90% at the first try, and for sure I'll need to add some more records to be always faster then with my password.

Last steps

You are not yet finished with your setup...

PAM configuration

You should prefer to add this face recognition authentication to a bunch of auth variants where it makes mostly sense.

I've choosen (which depends a little bit on your graphical environment)...

/etc/pam.d/gnomesu-pam
/etc/pam.d/polkit-1
/etc/pam.d/sudo
/etc/pam.d/sudo-i
/etc/pam.d/xdm
/etc/pam.d/xfce4-screensaver

Just add the line

auth     sufficient     pam_python.so      /usr/lib64/security/howdy/pam.py

as first entry to your PAM config files.

Disable passwordless sudo afterwards

As now we have setup a fast option to authenticate your sudo commands with your face, you can disable the often used passwordless sudo config.

So remove the NOPASSWD from your line in /etc/sudoers like

%wheel ALL=(ALL) NOPASSWD ALL

will become

%wheel ALL=(ALL) ALL

Fallback option

The fallback option is happening out of the box.
If your face is not recognized as a valid user, your login is enabled to enter a password or for your other configured PAM methods.

Résumé

Howdy provides a nice modernisation for your Linux desktop.
If you are in need of top safe, hack proof box you should go the way with hardware cryptographic tokens or stay at least with secure passwords.

For the normal day to day Linux user it is a more than welcome diversion.