One of the prime reasons why phone users prefer fingerprint scanner-enabled smartphones is because of the sense of privacy and security that it offers. Or so we thought.
A new study investigating the security of partial fingerprint-based authentication systems, especially when multiple fingerprints of a user are enrolled, revealed that because the scanners read only partial fingerprints, something called “master prints” can be created, which can trick the sensors.
The new findings have been released by Nasir Memon, a professor in the department of computer science and engineering at New York University’s Tandon School of Engineering; Aditi Roy, a post-doctoral fellow at the same college; and Arun Ross, a professor in the department of computer science and engineering at Michigan State University.
A number of consumer electronic devices are beginning to incorporate fingerprint sensors for user authentication. “The sensors embedded in these devices are generally small and the resulting images are, therefore, limited in size,” write the authors. “To compensate for the limited size, these devices often acquire multiple partial impressions of a single finger during enrollment to ensure that at least one of them will successfully match with the image obtained from the user during authentication.”
It adds that “in some cases, the user is allowed to enroll multiple fingers, and the impressions pertaining to multiple partial fingers are associated with the same identity (i.e., one user). A user is said to be successfully authenticated if the partial fingerprint obtained during authentication matches any one of the stored templates.”
“It’s as if you have 30 passwords and the attacker only has to match one,” Menon told The New York Times. He said their findings indicated that if you could somehow create a magic glove with a MasterPrint on each finger, you could get into 40 to 50 percent of iPhones within the five tries allowed before the phone demands the numeric password, known as a personal identification number.
The study’s preliminary results suggest that it is indeed possible to locate or generate partial fingerprints that can be used to impersonate a large number of users.