How Safe is Fingerprint Scanning on our Phones?

Nowadays several modern smartphones are equipped with fingerprint sensors to perform various operations due to the convenience of this technology in comparison to passwords which need to be remembered and typed in numerous times daily.

Companies such as Apple and Samsung are utilizing this smartphone technology to not only unlock the phone but to also authorize payments through mobile wallets such as Apple Pay and Samsung Pay.

In fact, a typical smartphone user can use this fingerprint sensing technology to perform several other operations such as downloading apps, signing into apps such as those for mobile banking purposes, as well as allowing users to transfer money various other apps1. Even some laptops are incorporating this technology to carry out their basic operations.

In order to increase our sensitivity to touch, our fingers were evolved with swirling friction ridges that are unique to each and every one of us2. Since no two human beings have the same exact set of fingerprints, fingerprints are the most common and widely used biometrics to identify a person.

However, all the ridges follow one of the three basic fingerprint patterns, which include loop, whorl and arch patterns2. The ridges in the loop pattern enter from one side of the finger to form a curve, and finally end on the same side, while the ridges form a circular pattern around a central point on the finger in the case of whorl pattern. In the arch pattern, the ridges enter from one side of the finger, rise in the center to form an arc and exit on the other side of the finger.

It is estimated that 60-65 % of people have a loop patterned fingerprint, while 30-35% have a whorl pattern, and the remaining 5% will have an arch pattern on their fingertips2.

Fingerprint recognition, or fingerprint authentication, is an automated process of verifying a match between two human fingerprints. This validation process has been adopted into various fingerprint sensors used in several different gadgets such as smartphones and laptops. Although falsifying a full human fingerprint is difficult, it is quite possible in the case of the partial fingerprints scanned by the small fingerprint sensors that are embedded into smartphones1,2.

To compensate for their smaller size, the fingerprint sensors on the smartphone enroll multiple partial images of a single finger to ensure that at least one of the images matches the user’s fingerprint during authentication. Smartphones will also allow you to set up multiple fingerprints including your thumb and all other fingers3,4. Therefore, a typical fingerprint scanned by a sensor should match one of the several partial images of up to ten different reference fingerprints to perform several operations that can range from simply unlocking the phone, to authorizing a transfer of thousands of dollars.

Researchers at the New York University’s Department of Computer Science and Engineering have investigated the potential security risks of fingerprint sensors by generating a “MasterPrint” that could match one or more of the stored templates of a significant number of users by serendipity.

hey defined MasterPrint as a synthetic or real partial fingerprint that matches at least 4% of the other prints in the randomly sampled batch. Nasir Memon’s team analyzed 8,200 partial fingerprints using commercial fingerprint verification software to validate the security concerns of the fingerprint scanners3.

The results revealed that it is possible to locate or generate partial fingerprints that could be used to impersonate the fingerprints of a large number of users4. The researchers determined that an average of 92 potential MasterPrints exist for every randomly sampled batch of 800 partial fingerprints, while there was only one full-fingerprint MasterPrint in a sample of 800 full fingerprints3. These results suggest that there is a significantly greater chance of falsely matching a partial fingerprint, as compared to a full fingerprint.

The common attributes of human fingerprints combined with the inability of the smartphone fingerprint scanners to scan the complete fingerprints due to their smaller size while also utilizing partial images from multiple fingers of the same user to authenticate, pose a gaping security hole in such a widely used and greatly trusted technology. The researchers suggest that smartphone users can protect themselves by turning off fingerprint authentication for their most sensitive apps, such as mobile payments.