The story goes that no two fingerprints are exactly alike, which makes them an excellent method for authentication. However, as researchers at New York University and Michigan State University have recently found, they’re hardly foolproof.
The team has developed a set of fake fingerprints that are digital composites of common features found in many people’s fingerprints. Through computer simulations, they were able to achieve matches 65 percent of the time, though they estimate the scheme would be less successful in real life, on an actual phone.
Nasir Memon, a computer science and engineering professor at New York University, explained the value of the study to The New York Times. Modern smartphones, tablets, and other computing devices that utilize biometric authentication typically only take a snapshots of sections of a user’s finger, to compose a model of one fingerprint. But the chances of faking your way into someone else’s phone are much higher if there are multiple fingerprints recorded on that device.
“It’s as if you have 30 passwords and the attacker only has to match one,” Memon said. The professor, who was one of three authors on the study, theorized that if it were possible to create a glove with five different composite fingerprints, the attacker would likely be successful with about half of their attempts. For the record, Apple reported to the Times that the chance of a false match through the iPhone’s TouchID system is 1 in 50,000 with only one fingerprint recorded.
Although Memon’s team’s findings may not pose a significant, immediate risk, they are the reason why tech companies aren’t satisfied with the status quo. Stephanie Schuckers, a Clarkson University professor, noted that the latest, most advanced systems attempt to detect the presence of a real person through methods like ultrasound and perspiration sensitivity. There are also newer methods of biometric authentication, like iris scanning and facial recognition, which are both featured on Samsung’s new Galaxy S8.
Ultimately, Memon said this didn’t damage his faith in using fingerprints for security too much, although he suggested phone makers consider forcing customers to use a PIN or password after the device is left idle for an hour.