cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Commander
Punch Card
Posts: 25
Registered: ‎07-18-2008
Location: Solar System/Earth
Views: 1,952
Message 2 of 19

W520: Fingerprint logon problem

Hello,

I want to ask if I do something wrong, or how to solve this problem.
I have W520, with SSD in the main bay and HDD in ultrabay.
I have set supervisor, power-on, hdd1 and hdd2 passwords. Also windows password.
I have enrolled 4 fingerprints.
I set in the fingerprint software that passwords are filled via one fingerprint.

 

When I powered-on the computer, I enrolled a finger, lenovo said "accpeted" and I had to put all power-on, hdd1 and hdd2 passwords manually. Since then it worked next time as is should automatically. SInce I have 4 fingerprints, I had to do this process for each finger, so 4 times, but I get it working.

 

But I am unable to do this on my external lenovo reader when docked. It allways says "accpeted" during boot, and then I have to write them manually. This is EXTREMELY annoying, because when docked, USB keyboard doesn't work either, and I have to go to my machine, open it, input 3 long passwords, and then close the lid fast.

 

Can you please help me, what to do? Where and how are fingerprints stored? I have also eSata drive and I want to set hdd password, if I will have go through every fingerprint again...

thank you.

 

P.S.: I had similar problem with my previous T60. On external fingerprint everything worked, but on internal sometimes it did not filled these passwords and i had to pull out and in the battery. Sadly it is not working on W520.

Lenovo W520 | 15.6" HD+ | Intel i7 2720QM | 16 GB DDR3 | nVidia Quadro 1000M | Intel 510 SSD | Hitachi 7200rpm HDD | Lenovo Mini Dock 3 Plus

Guru
Posts: 2,117
Registered: ‎04-20-2008
Location: US
Views: 1,967
Message 1 of 19

Using External FPR for Power on

I'm having a problem with the external FPR and the power on sequence for my W520 system. The FPR is an IBM UPEK unit which was previously attached to my T42p. I can use the external FPR for all OS requests for passwords including the power on. Here's the sequence that is failing:

 

System is in docking station, I depress the power on button, the FPR request comes on the screen, I scan my fingerprint that has been defined for power on, I get a green check mark that says matched, the screen clears, then I get a symbol that indicated no FPR and indicates that it wants to have the password manually typed on the keyboard.

 

The priority in the BIOS (1.26) is to use the external FPR first if present, then the internal FPR. If I disconnect the external FPR and just use the internal FPR, then all goes as designed.

 

Thoughts on this? I'm at the latest Client Security software level and the fingerprints are all registered properly.

 

Thanks


P53 XEON 2276 BIOS 1.18 OLED UHD 4K Multi-touch display, 96GB RAM, RTX5000, RAID 1, 1TB x 2 Samsung PM981, 1TB PM981, WWAN
P70 XEON 1505, BIOS 2.32, 4k Display, 64GB, M3000M NVIDIA GPU, RAID1 1TB Samsung PM981 PCIe-NVMe SSD x 2, 2x Samsung 850 Pro 1TB SSD. EM7455 WWAN
P1. BIOS 1.25,Xeon Processor, 4k UHD IPS multi-touch display, 32GB, PM981 1TB x 2, RAID1

I am not an employee nor an agent of Lenovo.
Lenovo Staff
Lenovo Staff
Posts: 6,063
Registered: ‎10-29-2009
Location: NC
Views: 1,897
Message 3 of 19

Re: Using External FPR for Power on

Thanks for explaning the problem here on the forum.  We are investigating this.

Lenovo Staff
Lenovo Staff
Posts: 6,063
Registered: ‎10-29-2009
Location: NC
Views: 1,873
Message 4 of 19

Re: Using External FPR for Power on

I found out that the first generation of external fingerprint readers does not support the new 20-series systems (T420/T520/W520/X220).  This is because the chipset inside these readers does not implement the level of security required on the newer systems.  So that external USB reader that you used with T42 simply will not work with new ThinkPads.  To find the list of supported options for your system, please consult the tabook

http://www.lenovo.com/psref/pdf/tabook.pdf

Guru
Posts: 2,117
Registered: ‎04-20-2008
Location: US
Views: 1,869
Message 5 of 19

Re: Using External FPR for Power on

I suspected that. HOWEVER, there are NO external fingerprint readers listed as accessories for the T520 nor the W520. The following fingerprint keyboard which IS listed as compatible doesn't work either: 73P4730.  So, basically, the system supports an external FPR, but there are no approved FPR's sold by Lenovo. BTW, Client Security and Windows 7 has NO issue using the external FPR. Fingerprint registration works properly, so it has to be a BIOS miscoding.

 

What accessory does work? What are the technical specifications so that I can purchase an external FPR?


P53 XEON 2276 BIOS 1.18 OLED UHD 4K Multi-touch display, 96GB RAM, RTX5000, RAID 1, 1TB x 2 Samsung PM981, 1TB PM981, WWAN
P70 XEON 1505, BIOS 2.32, 4k Display, 64GB, M3000M NVIDIA GPU, RAID1 1TB Samsung PM981 PCIe-NVMe SSD x 2, 2x Samsung 850 Pro 1TB SSD. EM7455 WWAN
P1. BIOS 1.25,Xeon Processor, 4k UHD IPS multi-touch display, 32GB, PM981 1TB x 2, RAID1

I am not an employee nor an agent of Lenovo.
Commander
Punch Card
Posts: 25
Registered: ‎07-18-2008
Location: Solar System/Earth
Views: 1,851
Message 6 of 19

Re: Using External FPR for Power on

Is this relevant also to my problem or not?

My external reader is FRU 41U3150.

Once the sequence was filled, but now the passwords are filled only with the internal fingerprint.

I also wonder, if I have to write all passwords once to get working for each fingerprint.

Can you please tell me, where are fingerprints stored? In the reader itself, or in a TPM or where?

Lenovo W520 | 15.6" HD+ | Intel i7 2720QM | 16 GB DDR3 | nVidia Quadro 1000M | Intel 510 SSD | Hitachi 7200rpm HDD | Lenovo Mini Dock 3 Plus

Lenovo Staff
Lenovo Staff
Posts: 6,063
Registered: ‎10-29-2009
Location: NC
Views: 1,846
Message 7 of 19

Re: Using External FPR for Power on

The answer about where fingerprints are stored is a bit complicated.  For the purpose of logging into windows, the fingerprint template and windows passwords are stored in an encrypted file.  There is really nothing stored on the fingerprint sensor itself for the purpose of logging into windows, or using Client Security Solution and/or Password Manager.  There is no limit to the number of fingers or users you can enroll for this purpose.

 

For the purpose of BIOS/hardware passwords, such as power-on password, supervisor password, or HDD password, both the fingerprint template and the hardware passwords are stored on the fingerprint device.  There are a limited number of "slots" on the device for this purpose, around 20 I think.  And each finger has to be enrolled and associated with the hardware password individually.  This happens during the BIOS POST process when you are asked to swipe your finger after turning on the system.  If the fingerprint sensor doesn't already know the hardware password associated with the finger that you swipe, then you are prompted to enter it.  And the fingerprint sensor will remember it for next time.

 

Now for the issue where old external fingerprint sensors don't work with the new ThinkPads for the purpose of BIOS/hardware passwords, the cause is that the chipset in the old sensors is not compatible with the new ThinkPads.  The external sensor can still be used to log into windows, because as I explained above there is nothing stored on the sensor for this purpose.  But the external sensor cannot be used to store BIOS/hardware passwords due to the chipset incompatibility. 

 

I don't know what the solution to this problem will be, whether it can be solved by some BIOS update, or whether a new external fingerprint sensor will be required (and where/how to buy it).  I'm still trying to figure that out and I will post back when I know more.

Guru
Posts: 2,117
Registered: ‎04-20-2008
Location: US
Views: 1,842
Message 8 of 19

Re: Using External FPR for Power on

OK, now I'm confused. If the external FPR couldn't store the password for BIOS related stuff, then I would understand your answer. However, the fact that when the scan is requested for example "Power On", the fingerprint IS recognized and the BIOS responds with a green check "match" says that most of this is working. How does that line up with the device can't store the FP? It would seem more likely that there is some protocol that the BIOS is trying to enforce about the difference between Internal vs. External. There's more to it, but I'm sure that you'll make a more complete determination when you complete your analysis.


P53 XEON 2276 BIOS 1.18 OLED UHD 4K Multi-touch display, 96GB RAM, RTX5000, RAID 1, 1TB x 2 Samsung PM981, 1TB PM981, WWAN
P70 XEON 1505, BIOS 2.32, 4k Display, 64GB, M3000M NVIDIA GPU, RAID1 1TB Samsung PM981 PCIe-NVMe SSD x 2, 2x Samsung 850 Pro 1TB SSD. EM7455 WWAN
P1. BIOS 1.25,Xeon Processor, 4k UHD IPS multi-touch display, 32GB, PM981 1TB x 2, RAID1

I am not an employee nor an agent of Lenovo.
Commander
Punch Card
Posts: 25
Registered: ‎07-18-2008
Location: Solar System/Earth
Views: 1,840
Message 9 of 19

Re: Using External FPR for Power on

Thank you very much for a great and detailed explanation.

 

Only strange thing is, that I would bet money that I got the external reader working once. For one of my fingers, It filled the passwords (after I wrote them for the first time). Then I did the same process for my second finger, which didn't work and my first finger stopped working too.

 

BTW, can you tell how are passwords stored in a fingerprint device encrypted? I mean by what key? Is it by the biometrical data, or anything else?

Thanks.

Lenovo W520 | 15.6" HD+ | Intel i7 2720QM | 16 GB DDR3 | nVidia Quadro 1000M | Intel 510 SSD | Hitachi 7200rpm HDD | Lenovo Mini Dock 3 Plus

Lenovo Staff
Lenovo Staff
Posts: 6,063
Registered: ‎10-29-2009
Location: NC
Views: 1,834
Message 10 of 19

Re: Using External FPR for Power on

harrisb,

 

The new ThinkPad doesn't know how to store or retrieve hardware passwords on the old external fingerprint device.  The fingerprint will match, but the hardware passwords can't be stored or retrieved.  Whether it can be solved in BIOS or not, I'm not sure.  Does this answer your question?

 

commander,

 

I don't see how it is possible that this ever worked with the external sensor.  As for exactly how the passwords are stored, the fingerprint sensor includes a companion chip that acts as a vault.  The key that is used inside the companion chip is set when the fingerprint device is first initialized (it is not related to biometry).  To clear the vault you can choose the option to erase fingerprint data in the BIOS setup menu.

Check out current deals!


Shop current deals

Top Kudoed Authors