For years, smartphones have been secured using either a passcode or a pattern lock system. That is until biometric fingerprint security came along promising heightened security measures using a user’s fingerprint. With no fingerprints being the same, nothing could be safer, right?
However, a team of researchers from New York University Tandon School of Engineering and Michigan State University College of Engineering have found that partial similarities between prints are common enough to fool biometric security systems used in mobile phones and other electronics devices leading them to be much more vulnerable than previously thought.
At the heart of the vulnerability is the small sensors used to capture the fingerprint authentication systems. These sensors do not capture a user’s full fingerprint but instead scan and store partial fingerprints or some allow for multiple fingers as the authentication system. Identity is confirmed when a user’s fingerprint matches any of these saved partial prints.
Researchers were able to develop a concept for a “MasterPrint” or a print that matches enough similarities among different people’s prints that could be used by hackers to crack a biometric smartphone security system.
The idea is similar to attempts to create a master code for pin based smartphone security systems used by hackers. The team found that a MasterPrint could indeed be created from multiple human fingerprint patterns that were close enough to raise security concerns.
The analysis used took 8,200 partial fingerprints and through commercial fingerprint verification software found an average of 92 potential MasterPrints for every randomly sampled batch of 800 partial prints. However, only one full-fingerprint MasterPrint was found in a sample of 800 full prints.
“Not surprisingly, there’s a much greater chance of falsely matching a partial print than a full one, and most devices rely only on partials for identification,” says Nasir Memon, professor of computer science and engineering at NYU Tandon.
How They Did It
The team culled MasterPrints from real fingerprint images and then built an algorithm for creating synthetic partial MasterPrints. Experimenting with the synthetic partial print the researchers found these had an even wider matching potential, making them more likely to fool biometric security systems than real partial fingerprints.
The team reported successful matching of between 26 percent and 65 percent of users depending on how many partial fingerprint impressions were stored for each user and assuming a maximum number of five attempts per authentication. The more partial fingerprints a smartphone stores, the more vulnerable it is.
The results of the project show that challenges remain in designing trustworthy fingerprint-based authentication systems and work on future designs is needed.
“As fingerprint sensors become smaller in size, it is imperative for the resolution of the sensors to be significantly improved in order for them to capture additional fingerprint features,” says Arun Ross, professor of computer science at Michigan State. “If resolution is not improved, the distinctiveness of a user’s fingerprint will be inevitably compromised. The empirical analysis conducted in this research clearly substantiates this.”