Fingerprint security on smartphones more vulnerable than thought

April 13, 2017 // By Jean-Pierre Joosting
Fingerprint security on smartphones more vulnerable than thought
New York University Tandon School of Engineering (Brooklyn, NY) and Michigan State University (East Lansing, MI) researchers find that similarities in partial fingerprints may be sufficient to trick biometric security systems on smartphones.

No two people are believed to have identical fingerprints, but researchers at the New York University Tandon School of Engineering and Michigan State University College of Engineering have found that partial similarities between prints are common enough that the fingerprint-based security systems used in mobile phones and other electronic devices can be more vulnerable than previously thought.

The vulnerability lies in the fact that fingerprint-based authentication systems feature small sensors that do not capture a user's full fingerprint. Instead, they scan and store partial fingerprints, and many phones allow users to enroll several different fingers in their authentication system.

Identity is confirmed when a user's fingerprint matches any one of the saved partial prints. The researchers hypothesized that there could be enough similarities among different people's partial prints that one could create a "MasterPrint."

Nasir Memon, a professor of computer science and engineering at NYU Tandon and the research team leader, explained that the MasterPrint concept bears some similarity to a hacker who attempts to crack a PIN-based system using a commonly adopted password such as 1234. "About four percent of the time, the password 1234 will be correct, which is a relatively high probability when you're just guessing."

The research team set out to see if they could find a MasterPrint that could reveal a similar level of vulnerability. Indeed, they found that certain attributes in human fingerprint patterns were common enough to raise security concerns.

Memon and his colleagues, NYU Tandon Postdoctoral Fellow Aditi Roy and Michigan State University Professor of Computer Science and Engineering Arun Ross, undertook their analysis using 8,200 partial fingerprints. Using commercial fingerprint verification software, they found an average of 92 potential MasterPrints for every randomly sampled batch of 800 partial prints. (They defined a MasterPrint as one that matches at least four percent of the other prints in the randomly sampled batch.)

They found, however, just one full-fingerprint MasterPrint in a sample of 800 full prints. "Not surprisingly, there's a much greater chance of falsely matching a partial print than a full one, and most devices rely only on partials for identification," said Memon.