April 11, 2017 -
Smartphone fingerprint sensors could be fooled up to 65 percent of the time by “MasterPrints” digitally composed from common fingerprint features, according to findings published Monday by researchers at New York University and Michigan State University.
In the report MasterPrint: Exploring the Vulnerability of Partial Fingerprint-based Authentication Systems, the researchers warn that partial fingerprint-based authentication systems are potentially vulnerable to compromise, particularly when multiple impressions of each finger are enrolled. Enrolling multiple impressions is often required by devices to ensure positive matching, the researchers say, and in some cases users enroll multiple fingers, further expanding the number of impressions a MasterPrint could potentially register a false match to.
The test results are based on computer simulations, and false positive authentications could be much less common in actual use conditions, but still sufficient to attract criminal attention.
“It’s almost certainly not as worrisome as presented, but it’s almost certainly pretty darn bad,” Andy Adler, a professor at Carleton University in Canada who studies biometric security told the New York Times. “If all I want to do is take your phone and use your Apple Pay to buy stuff, if I can get into 1 in 10 phones, that’s not bad odds.”
Study author Dr. Nasir Memon told the Times the results indicate that if someone could design a glove with a MasterPrint on each finger, that person could access 40 to 50 percent of iPhones before reaching the five-attempt limit and being asked for a numerical password. He also said he will continue to use his iPhone’s fingerprint sensor to unlock it.
Clarkson University professor and Center for Identification Technology Research director Stephanie Schuckers pointed out to the Times that there are differences in the software used by the researchers and smartphone vendors, and that anti-spoofing measures currently being studied could potentially defeat MasterPrints.