20°C / 22°C
  • Mon
  • 18°C
  • 5°C
  • Tue
  • 18°C
  • 7°C
  • Wed
  • 20°C
  • 6°C
  • Thu
  • 18°C
  • 5°C
  • Fri
  • 18°C
  • 5°C
  • Sat
  • 19°C
  • 6°C
  • Mon
  • 17°C
  • 8°C
  • Tue
  • 15°C
  • 9°C
  • Wed
  • 13°C
  • 8°C
  • Thu
  • 17°C
  • 7°C
  • Fri
  • 21°C
  • 9°C
  • Sat
  • 18°C
  • 10°C
  • Mon
  • 20°C
  • 7°C
  • Tue
  • 20°C
  • 7°C
  • Wed
  • 22°C
  • 7°C
  • Thu
  • 19°C
  • 7°C
  • Fri
  • 20°C
  • 7°C
  • Sat
  • 20°C
  • 7°C
  • Mon
  • 21°C
  • 2°C
  • Tue
  • 21°C
  • 6°C
  • Wed
  • 21°C
  • 6°C
  • Thu
  • 20°C
  • 5°C
  • Fri
  • 20°C
  • 4°C
  • Sat
  • 20°C
  • 5°C
  • Mon
  • 20°C
  • 15°C
  • Tue
  • 22°C
  • 14°C
  • Wed
  • 19°C
  • 15°C
  • Thu
  • 21°C
  • 14°C
  • Fri
  • 22°C
  • 14°C
  • Sat
  • 25°C
  • 14°C
  • Mon
  • 20°C
  • 9°C
  • Tue
  • 18°C
  • 11°C
  • Wed
  • 15°C
  • 9°C
  • Thu
  • 16°C
  • 8°C
  • Fri
  • 26°C
  • 9°C
  • Sat
  • 17°C
  • 14°C
  • Mon
  • 19°C
  • 8°C
  • Tue
  • 13°C
  • 6°C
  • Wed
  • 12°C
  • 4°C
  • Thu
  • 18°C
  • 3°C
  • Fri
  • 24°C
  • 10°C
  • Sat
  • 18°C
  • 7°C
  • Mon
  • 16°C
  • 10°C
  • Tue
  • 14°C
  • 9°C
  • Wed
  • 13°C
  • 7°C
  • Thu
  • 17°C
  • 7°C
  • Fri
  • 22°C
  • 11°C
  • Sat
  • 16°C
  • 11°C
  • Mon
  • 21°C
  • 7°C
  • Tue
  • 21°C
  • 8°C
  • Wed
  • 23°C
  • 6°C
  • Thu
  • 20°C
  • 8°C
  • Fri
  • 21°C
  • 7°C
  • Sat
  • 21°C
  • 8°C
  • Mon
  • 19°C
  • -1°C
  • Tue
  • 21°C
  • 3°C
  • Wed
  • 18°C
  • 2°C
  • Thu
  • 19°C
  • 1°C
  • Fri
  • 20°C
  • 3°C
  • Sat
  • 20°C
  • 6°C
  • Mon
  • 21°C
  • 9°C
  • Tue
  • 23°C
  • 7°C
  • Wed
  • 21°C
  • 6°C
  • Thu
  • 20°C
  • 7°C
  • Fri
  • 18°C
  • 6°C
  • Sat
  • 23°C
  • 6°C
  • Mon
  • 22°C
  • 10°C
  • Tue
  • 19°C
  • 6°C
  • Wed
  • 14°C
  • 7°C
  • Thu
  • 16°C
  • 7°C
  • Fri
  • 26°C
  • 10°C
  • Sat
  • 16°C
  • 11°C

How secure is your phone's fingerprint lock?

The fingerprint-based security systems on phones and other electronic devices may be more vulnerable than previously thought.

A screengrab from YouTube of iPhone 5. Picture: Youtube.com.

The fingerprint-based security systems on phones and other electronic devices may be more vulnerable than previously thought.

Fingerprint-based authentication systems feature small sensors that don’t capture a user’s full fingerprint. Instead, they scan and store partial fingerprints, and many phones allow users to use different fingers in their authentication system. Identity is confirmed when a user’s fingerprint matches any one of the saved partial prints.

A new study suggests there could be enough similarities among different people’s partial prints to create a “MasterPrint.”

The MasterPrint concept is similar to a hacker who attempts to crack a PIN-based system using a commonly adopted password such as 1234, says Nasir Memon, professor of computer science and engineering at New York University Tandon.

“About 4% of the time, the password 1234 will be correct, which is a relatively high probability when you’re just guessing.”

So, researchers set out to see if they could find a MasterPrint that could reveal a similar level of vulnerability. Indeed, they found that certain attributes in human fingerprint patterns were common enough to raise security concerns.

For the study, published in IEEE Transactions on Information Forensics & Security, researchers looked at 8,200 partial fingerprints.

Using commercial fingerprint verification software, they found an average of 92 potential MasterPrints for every randomly sampled batch of 800 partial prints.
(They defined a MasterPrint as one that matches at least 4% of the other prints in the randomly sampled batch.)

They found, however, just one full-fingerprint MasterPrint in a sample of 800 full prints. “Not surprisingly, there’s a much greater chance of falsely matching a partial print than a full one, and most devices rely only on partials for identification,” Memon says.

The team analysed the attributes of MasterPrints culled from real fingerprint images, and then built an algorithm for creating synthetic partial MasterPrints.

Experiments showed that synthetic partial prints have an even wider matching potential, making them more likely to fool biometric security systems than real partial fingerprints.

With their digitally simulated MasterPrints, the team reported successfully matching between 26 and 65% of users, depending on how many partial fingerprint impressions were stored for each user and assuming a maximum number of five attempts per authentication. The more partial fingerprints a given smartphone stores for each user, the more vulnerable it is.

While the work was done in a simulated environment, postdoctoral fellow and co-author Aditi Roy emphasises that improvements in creating synthetic prints and techniques for transferring digital MasterPrints to physical artefacts in order to spoof a device pose significant security concerns.

The high matching capability of MasterPrints points to the challenges of designing trustworthy fingerprint-based authentication systems and reinforces the need for multi-factor authentication schemes.

“As fingerprint sensors become smaller in size, it is imperative for the resolution of the sensors to be significantly improved in order for them to capture additional fingerprint features,” says co-author Arun Ross, professor of computer science and engineering at Michigan State University.

“If the resolution is not improved, the distinctiveness of a user’s fingerprint will be inevitably compromised. The empirical analysis conducted in this research clearly substantiates this.”

The results of the team’s research are based on minutiae-based matching, which any particular vendor may or may not use, Memon says. Nevertheless, as long as partial fingerprints are used for unlocking devices and multiple partial impressions per finger are stored, the probability of finding MasterPrints increases significantly.

This article was republished courtesy of the World Economic Forum.

Written by Hallie Kapner, Writer and Communications Consultant, NYU Tandon School of Engineering.

Comments

EWN welcomes all comments that are constructive, contribute to discussions in a meaningful manner and take stories forward.

However, we will NOT condone the following:

- Racism (including offensive comments based on ethnicity and nationality)
- Sexism
- Homophobia
- Religious intolerance
- Cyber bullying
- Hate speech
- Derogatory language
- Comments inciting violence.

We ask that your comments remain relevant to the articles they appear on and do not include general banter or conversation as this dilutes the effectiveness of the comments section.

We strive to make the EWN community a safe and welcoming space for all.

EWN reserves the right to: 1) remove any comments that do not follow the above guidelines; and, 2) ban users who repeatedly infringe the rules.

Should you find any comments upsetting or offensive you can also flag them and we will assess it against our guidelines.

EWN is constantly reviewing its comments policy in order to create an environment conducive to constructive conversations.

comments powered by Disqus