A team of researchers from the Tandon School of Engineering at the New York University has created a method of generating fake digital fingerprints capable of unlocking random smartphones.
According to the research team, their method works with an accuracy of 26% to 65% of all tested phones, assuming a maximum number of five attempts per authentication, the standard that most phone-based fingerprint authentication systems give their users.
The research was possible because most of the fingerprint authentication systems included with modern smartphones don't actually store a full fingerprint.
These systems take snapshots of small areas of the user's fingerprint when the user registers a finger for authentication. These are called "partial fingerprints, " and some phones create one, while others two, three, four, or more.
When the user presses his finger over the fingerprint sensor, the visible area of his fingerprint is compared to any of these partial fingerprints, and the phone is unlocked if successful. This means that most fingerprint authentication systems in today's smartphones never compare the full fingerprint but only work with small areas of your finger.
Working on this principle, the research team assembled a database of real user fingerprints and then created an algorithm capable of generating so-called MasterPrints.
These are digitally-created partial fingerprints that bear enough similarities to the most common patterns found in the fingerprints of most users.
Tests carried out by the research team revealed that there are enough similarities between user fingerprints to make MasterPrints efficient in real-life scenarios.
The conclusion was that the more partial fingerprints a smartphone stored per user, the more vulnerable it was.
To improve fingerprinting authentication in the future, researchers recommend that smartphone vendors start using the full fingerprints, but also that they deploy more sensitive fingerprint sensors.
“As fingerprint sensors become smaller in size, it is imperative for the resolution of the sensors to be significantly improved in order for them to capture additional fingerprint features,” one of the researchers said. “If resolution is not improved, the distinctiveness of a user’s fingerprint will be inevitably compromised.”
Their research paper is entitled "MasterPrint: Exploring the Vulnerability of Partial Fingerprint-based Authentication Systems," and was published in Volume 99 of the IEEE Transactions on Information Forensics and Security journal.
Image credit: Andri Koolme