07-18-2011 08:22 AM - last edited on 12-09-2016 10:09 AM by Amy_PI_Lenovo
I want to ask if I do something wrong, or how to solve this problem.
I have W520, with SSD in the main bay and HDD in ultrabay.
I have set supervisor, power-on, hdd1 and hdd2 passwords. Also windows password.
I have enrolled 4 fingerprints.
I set in the fingerprint software that passwords are filled via one fingerprint.
When I powered-on the computer, I enrolled a finger, lenovo said "accpeted" and I had to put all power-on, hdd1 and hdd2 passwords manually. Since then it worked next time as is should automatically. SInce I have 4 fingerprints, I had to do this process for each finger, so 4 times, but I get it working.
But I am unable to do this on my external lenovo reader when docked. It allways says "accpeted" during boot, and then I have to write them manually. This is EXTREMELY annoying, because when docked, USB keyboard doesn't work either, and I have to go to my machine, open it, input 3 long passwords, and then close the lid fast.
Can you please help me, what to do? Where and how are fingerprints stored? I have also eSata drive and I want to set hdd password, if I will have go through every fingerprint again...
P.S.: I had similar problem with my previous T60. On external fingerprint everything worked, but on internal sometimes it did not filled these passwords and i had to pull out and in the battery. Sadly it is not working on W520.
07-13-2011 05:50 AM - edited 07-19-2011 12:08 PM
I'm having a problem with the external FPR and the power on sequence for my W520 system. The FPR is an IBM UPEK unit which was previously attached to my T42p. I can use the external FPR for all OS requests for passwords including the power on. Here's the sequence that is failing:
System is in docking station, I depress the power on button, the FPR request comes on the screen, I scan my fingerprint that has been defined for power on, I get a green check mark that says matched, the screen clears, then I get a symbol that indicated no FPR and indicates that it wants to have the password manually typed on the keyboard.
The priority in the BIOS (1.26) is to use the external FPR first if present, then the internal FPR. If I disconnect the external FPR and just use the internal FPR, then all goes as designed.
Thoughts on this? I'm at the latest Client Security software level and the fingerprints are all registered properly.
07-20-2011 04:58 AM
I found out that the first generation of external fingerprint readers does not support the new 20-series systems (T420/T520/W520/X220). This is because the chipset inside these readers does not implement the level of security required on the newer systems. So that external USB reader that you used with T42 simply will not work with new ThinkPads. To find the list of supported options for your system, please consult the tabook
07-20-2011 06:13 AM - edited 07-20-2011 06:33 AM
I suspected that. HOWEVER, there are NO external fingerprint readers listed as accessories for the T520 nor the W520. The following fingerprint keyboard which IS listed as compatible doesn't work either: 73P4730. So, basically, the system supports an external FPR, but there are no approved FPR's sold by Lenovo. BTW, Client Security and Windows 7 has NO issue using the external FPR. Fingerprint registration works properly, so it has to be a BIOS miscoding.
What accessory does work? What are the technical specifications so that I can purchase an external FPR?
07-20-2011 09:06 AM
Is this relevant also to my problem or not?
My external reader is FRU 41U3150.
Once the sequence was filled, but now the passwords are filled only with the internal fingerprint.
I also wonder, if I have to write all passwords once to get working for each fingerprint.
Can you please tell me, where are fingerprints stored? In the reader itself, or in a TPM or where?
07-20-2011 10:25 AM
The answer about where fingerprints are stored is a bit complicated. For the purpose of logging into windows, the fingerprint template and windows passwords are stored in an encrypted file. There is really nothing stored on the fingerprint sensor itself for the purpose of logging into windows, or using Client Security Solution and/or Password Manager. There is no limit to the number of fingers or users you can enroll for this purpose.
For the purpose of BIOS/hardware passwords, such as power-on password, supervisor password, or HDD password, both the fingerprint template and the hardware passwords are stored on the fingerprint device. There are a limited number of "slots" on the device for this purpose, around 20 I think. And each finger has to be enrolled and associated with the hardware password individually. This happens during the BIOS POST process when you are asked to swipe your finger after turning on the system. If the fingerprint sensor doesn't already know the hardware password associated with the finger that you swipe, then you are prompted to enter it. And the fingerprint sensor will remember it for next time.
Now for the issue where old external fingerprint sensors don't work with the new ThinkPads for the purpose of BIOS/hardware passwords, the cause is that the chipset in the old sensors is not compatible with the new ThinkPads. The external sensor can still be used to log into windows, because as I explained above there is nothing stored on the sensor for this purpose. But the external sensor cannot be used to store BIOS/hardware passwords due to the chipset incompatibility.
I don't know what the solution to this problem will be, whether it can be solved by some BIOS update, or whether a new external fingerprint sensor will be required (and where/how to buy it). I'm still trying to figure that out and I will post back when I know more.
07-20-2011 11:25 AM - edited 07-20-2011 11:26 AM
OK, now I'm confused. If the external FPR couldn't store the password for BIOS related stuff, then I would understand your answer. However, the fact that when the scan is requested for example "Power On", the fingerprint IS recognized and the BIOS responds with a green check "match" says that most of this is working. How does that line up with the device can't store the FP? It would seem more likely that there is some protocol that the BIOS is trying to enforce about the difference between Internal vs. External. There's more to it, but I'm sure that you'll make a more complete determination when you complete your analysis.
07-20-2011 11:30 AM
Thank you very much for a great and detailed explanation.
Only strange thing is, that I would bet money that I got the external reader working once. For one of my fingers, It filled the passwords (after I wrote them for the first time). Then I did the same process for my second finger, which didn't work and my first finger stopped working too.
BTW, can you tell how are passwords stored in a fingerprint device encrypted? I mean by what key? Is it by the biometrical data, or anything else?
07-20-2011 12:02 PM
The new ThinkPad doesn't know how to store or retrieve hardware passwords on the old external fingerprint device. The fingerprint will match, but the hardware passwords can't be stored or retrieved. Whether it can be solved in BIOS or not, I'm not sure. Does this answer your question?
I don't see how it is possible that this ever worked with the external sensor. As for exactly how the passwords are stored, the fingerprint sensor includes a companion chip that acts as a vault. The key that is used inside the companion chip is set when the fingerprint device is first initialized (it is not related to biometry). To clear the vault you can choose the option to erase fingerprint data in the BIOS setup menu.