Chances are that your smartphone has a fingerprint scanner built into it to help you unlock your device. One advantage to fingerprint scanners is that it makes it faster to unlock handsets than typing a pin number.
However, it’s also more secure because, as we’re constantly reminded about via CSI-style detective shows, all of us have unique fingerprints. As a result, a fingerprint scanner stops someone else unlocking your phone in the way that they could if you knew your passcode.
Right? Well, kind of.
As it turns out, computer scientists at New York University and Michigan State Universtiy have been working on developing digital “master prints.” These are the biometric equivalent of master keys, capable of tricking a variety of fingerprint sensors that trained to recognize your “unique” fingerprints.
“Our work shows that there are these things called ‘masterprints,’ which could be used by an attacker,” Nasir Memon, a computer scientist at NYU’s Tandon School of Engineering who co-authored the study, told Digital Trends. “If they had a master print that maximized their probability of success, they may be able to get through a device’s fingerprint system.”
The problem, Memon explained, is that fingerprint sensors tend to be small. Because of this, they match according to partial fingerprints, rather than whole ones. When you register your fingerprint on a new device, it breaks down your single print into a number of smaller squares. This means that, regardless of how your finger is placed on the fingerprint sensor, your mobile device should be able to recognize it.
“When you take a full fingerprint, there’s some amount of uniqueness in it, even if it’s not total,” Memon continued. “The problem is that, as you start taking partial fingerprints, that distinguishability drops. As an analogy, if you think about a face, they’re distinct because two people are unlikely to have the same face. But if you just take a part of the face, the chances of two people having that partial face are higher.”
He said that one impetus for the research had been a previous study into pin codes, which claimed that around four percent of pin codes were simply “1234.” A thief wanting to maximize his or her chances of breaking into a phone should, therefore, start by trying this string of digits.
Memon and colleagues analyzed a database of 800 fingerprints, from which they extracted thousands of partial prints. According to their analysis, a master print — able to emulate a variety of partial fingerprints — could be used to fool a random fingerprint scanner 26 to 65 percent of the time.
As Memon notes, this work is still hypothetical. They did not create physical master prints but rather carried out their work using computer simulations. The idea of a hacker glove, with a different master print on each finger, fortunately, doesn’t exist yet — but it is still a reminder of some of the perils that exist with biometrics.