Fingerprints are all the rage today. We use them to find murderers, unlock our phones, access secure government facilities like Area 51 (probably), and many other things. Biometric security measures are slowly taking over traditional security measures like pins, passwords, and other mundane things we have to remember on top of the many other passcodes we have to know. Mastercard has recently announced that they are working on a fingerprint-based credit card. It would work like any other credit card, used for swiping or chip, but now it would require your fingerprint (via a chip with a template of your fingerprint on the credit card) to authorize transactions. It is currently being tested in South Africa and, if successful, will be rolled out globally in fall 2017.

But, like all security measures, there are ways to bypass fingerprint scanners. The most obvious of ways is to simply have a template of the fingerprint of interest, like a clay mold of it. That method does require that you have the fingerprint in your possession in order to make a copy of it so, probably not as easy as one might think. A much easier method would be to have a “master print” that acts like a skeleton/master key which is able to open multiple locks. That is the work of researchers from New York University (NYU) and Michigan State University (MSU).

When you use your fingerprint to unlock your phone, the sensors are only scanning a small portion of your fingerprint because the sensors are small and limited in how much they can capture during a single scan [1]. When setting up your fingerprint scanner, your phone is scanning many different partial prints that can be used to unlock your phone to make up for their small size. The more fingers you use, the more partial prints that are stored on your phone and are able to unlock your phone. The researchers at NYU and MSU analyzed large datasets of different partial prints that could be used in fingerprint scanners like those on smartphones [1]. They found that it was possible to create a master print that could mimic a random partial print [2]. The success rate for this ranged from 26% to 65% based on how many partial prints were stored in a device [2]. The more partial prints that were stored, the more likely it was that the master print could successfully mimic it.

Now it is important to note that this research was conducted via a computer simulation and that the researchers did not actually create some sort of master fingerprint device or use these master prints on phones. The results were a theoretical approach to begin testing these ideas because someone other there will inevitably try to create a device for this purpose and it would be better if we knew about it beforehand to create appropriate countermeasures. What this research accomplishes is telling us that this technology, which is being used more and more in our lives, has vulnerabilities that can be exploited for nefarious purposes from stealing data stored on phones to illegal searches of phone information without warrants.

There are more and more biometric measures being introduced in newer phones and devices. The new Samsung S8 has facial recognition capabilities, fingerprint scanners, and iris scanners. As with fingerprints, these other biometric scanners have their own vulnerabilities and the more they enter our lives, the more important it becomes to understand these issues and build solutions to them. The good thing about having multiple security measures is that you can set them all up and make it more difficult for someone to enter your device without your consent/knowledge. For now, researchers shall continue to explore these vulnerabilities in hopes that when some terrible soul decides to do something bad, we can counter them.