All I Want For Christmas Is A 4-Factor Biometric Lock Box

It’s the most wonderful time of the year! No, we’re not talking about the holiday season, although that certainly has its merits. What we mean is that it’s time for the final projects from [Bruce Land]’s ECE4760 class. With the giving spirit and their mothers in mind, [Adarsh], [Timon], and [Cameron] made a programmable lock box with four-factor authentication. That’s three factors more secure than your average Las Vegas hotel room safe, and with a display to boot.

Getting into this box starts with a four-digit code on a number pad. If it’s incorrect, the display will say so. Put in the right code and the system will wait four seconds for the next step, which involves three potentiometers. These are tuned to the correct value with a leeway of +/- 30. After another four-second wait, it’s on to the piezo-based knock detector, which listens for the right pattern. Finally, a fingerprint scanner makes sure that anyone who wants into this box had better plan ahead.

This project is based on Microchip’s PIC32-based Microstick II, which [Professor Land] starting teaching in 2015. It also uses an Arduino Uno to handle the fingerprint scanner. The team has marketability in mind for this project, and in the video after the break, they walk through the factory settings and user customization.

We have seen many ways to secure a lock box. How about a laser-cut combination safe or a box with a matching NFC ring?

24 thoughts on “All I Want For Christmas Is A 4-Factor Biometric Lock Box

  1. It would be more secure to not tell the user which step is wrong. Even if the passcode is wrong, it should still make the user go through the other three steps before saying “access denied”, with no specifics about why.

    1. That was my first thought. I once worked in an office containing equipment and documents classified “Secret” and above. At night it was secured only by a cipher lock with ten buttons, of which you had to press four in the correct order. But you could HEAR a relay click as soon as you hit a wrong button, and it only took a few seconds for it to reset, which you could ALSO hear. The first time I got locked out because somebody changed the code and I hadn’t read the memo, it took mw about two minutes to get in.

  2. If we want to be pedantic here (and this is HaD, so that’s almost a requirement) this is still a two factor system. The fingerprint is something you have. Everything else falls under something you know. Its not any more or less secure than a fingerprint + password setup. An additional factor could be an externally generated key of some kind (like a ubikey), which, while TECHNICALLY is something you have, falls outside of the biometric “have” for me to count it differently. THAT BEING SAID… awesome project, and great demo of the skills for this class!

      1. No, that’s how the counting is meant to happen; this is a two-factor box. It could be 3-factor if it required a physical key, which could include things like an NFC card or U2F dongle.

        It is a 4-credential box; it is not 4-factor.

        1. That’s how I counted it. When I clicked on the article the only thing I had to stop and think of what the 4 factors could be. The only thing I could think of was Something you know, Something you have, Something you are, and some place you are. It looks like multi credential, 2 factor authenticated to me. Still cool, but not quite the

      2. Knock pattern = something you know
        Code = something you know
        Pot settings = something you know
        Biometric = something you are

        Count the number of *distinct* classes of factor. There are only two. By definition, that’s how the counting works. Knyghtryda is correct.

    1. ideally one would add a one time password, we use that for all online financials here combined with a static password and or sms authentication, makes it practically impossible for anyone to get access to your bank account without extensive physical access.

  3. I’ve got patent ideas for timed lock boxes. Does anyone know of some being marketed. I’m frustrated that patent searches aren’t easier; especially having pictures. Say, where is Gravatar based? . . . (Oh, axe gets boom) . . . Thanks

    1. Ask your local bank. ;)
      Some business have boxes that only unlock at a set time as well. If you try to open it up, even with the correct key/code, an alarm can be set to go off.

  4. This is cool, However I wonder how it would fair against an EMP device, Perhaps having one of the steps being purely analog as in mechanical would help prevent this hypothetical defeat.

    1. The electronics could easily constructed, that it shorts out in a case of any overload and does not activate the lock.

      But I also wondered, why the electronics and the stuff are located mostly outside the box – probably because the wood would not provide any added protection.
      If only there were a material which would protect against electric and magnetic fields and provide some mechanical resistance. It should be ferromagnetic and conductive and hard/tough. Does anybody know a possible material? :-)
      .
      .
      .
      .
      .
      .
      .
      .
      Perhaps you could use steel?

  5. This is still just a two factor authentication system. Three factor is something you have (like a swipe card), something you are (biometric), something you know (passcode). You only have two factor…The biometric is something you are and all your others fall under something you know. To add a third factor you would need a card reader and key card as an example.

    All that being said…i know I am being overly technical here. Your project is REALLY cool and I respect your work. Nice job.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.