Both my phone and my tablet have fingerprint sensors. For some reason, my tablet never reads my fingerprint correctly, so I find I have to try multiple times before giving up and using another method of authentication to log on. But my phone’s sensor has worked great, allowing me quick access to my apps and giving me a sense of privacy that no one else can pick up my phone and use it.
However, fingerprints as a biometric authentication solution isn’t foolproof, and researchers from New York University and Michigan State University recently presented a paper on how easy it is to create synthetic fingerprints that can trick biometric sensors.
Recent Articles By AuthorCanada’s New Data Privacy Law Now in Effect Consumer Data Protection Act: Forcing Accountability Your Employees Pose a Bigger Security Risk Than You Think
Suddenly, my phone―or anything that relies on fingerprint scans―doesn’t seem as private.Already a Flawed Scan
I think it is important to point out that fingerprint sensors on our phones and tablets are already a flawed security protection. As the researchers explained, the sensors are so small that they only grab a small part of the fingerprint. This means that naturally, the chance of “matching” with another fingerprint increases. This concept led to something called MasterPrints, which the researchers didn’t develop but described: “MasterPrints are a set of real or synthetic fingerprints that can fortuitously match with a large number of other fingerprints. Therefore, they can be used by an adversary to launch a dictionary attack against a specific subject that can compromise the security of a fingerprint-based recognition system. This means, it is possible to ‘spoof’ the fingerprints of a subject without actually gaining any information about the subject’s fingerprint.”
The researchers then went a step beyond MasterPrints with DeepMasterPrints: “Images that are visually similar to natural fingerprint images.” This is the print that can spoof any type of fingerprint sensor, matching it to a number of different fingerprint identities. It is essentially the master key of fingerprints, and it could create chaos in a security world that sees biometric authentication as the most secure option available right now.Using AI and ML to Generate Fingerprints
As The Guardian explained, the researchers used two particular properties of fingerprints and sensor technology to come up with DeepMasterPrints. First, it took advantage of the partial print scan done on smaller devices. Second, it used fingerprint features that are common as opposed to unique―in other words, our fingerprints are more alike than we realize. Then, the article stated, “the researchers used a common machine learning technique, called a generative adversarial network, to artificially create new fingerprints that matched as many partial fingerprints as possible.”Dictionary Attacks, but for Fingerprints
How can synthetic fingerprints affect security? Just as hackers use dictionary attacks to generate potential passwords, the researchers concluded synthetic fingerprints could be used to launch dictionary-style attacks against systems that rely on this type of biometric authentication.
“Could” is the operative word here. It’s important to remember that this research was conducted in a controlled environment, proving synthetic fingerprints―and the science behind creating them―are possible.
“While that doesn’t invalidate the findings,” Sam Bakken, senior product marketing manager at OneSpan said in an email comment, “the costs of executing such an attack are far from negligible and attackers probably don’t see a good return-on-investment at this time.”
However, you know if it can be done in one setting, cybercriminals will work hard to replicate the findings for their own use. With this research, the rest of us are getting a bit of a head start to ensure our authentication systems are able to combat potential synthetic fingerprint hacks. That begins with a layered authentication that adds on to fingerprint biometrics.
“A layered approach might include taking into account additional contextual data (e.g., whether the authentication event is taking place on a compromised device or via an emulator, etc.) to score the risk associated with the transaction and if that risk is too high, ask the user to provide another authentication factor,” said Bakken.
Fingerprints are a popular biometric because they are easy for consumers to use―no passwords to remember and no added device necessary. But it is only a matter of time until they are no more secure than a user name and password combination.