What is wrong with the fingerprint?
A while ago we were developing an application for a fortune 500 company, which wanted to secure a mobile app containing vital data with the built in fingerprint reader on iPhone and Android Devices.
Probably everybody is exited with protecting data with a fingerprint, because everyone has his own unique fingerprint, and as a matter of fact they are always with you. You don’t need to remember any passwords, use special USB devices or generate keys stored on our smartphone. All you need is to put your finger on a sensor and after a second you are authorized. So beside our fingerprints being unique, let’s see how fingerprint scanners work and why using them is not (secure) enough?
Let’s take a sneak peek at how fingerprint readers work.
As I’ve already mentioned above, each single individuals fingerprint is unique. Even identical twins have a different fingerprint. Fingerprints are even more unique than our DNA.
Actually the chance of two people having the same fingerprints is 1 in 64 billion which is less likely to happen than winning the lottery (potentially any lottery).
The reason for fingerprints being unique is that they are not formed genetically but physically. They are formed even before we are born, still in our mothers’ womb. They start being developed as “friction ridges” from the pressure on the fingers touching the surroundings while the baby is in the womb. Fingerprints are fully developed 3 months before we are born.
How does the Fingerprint reader work?
All of the ridges form patterns called loops, whorls and arches. In order to distinguish one fingerprint from another and confirm the identity, some measurements are made. The measures taken into account are: shape, size, number of lines in a pattern. From various characteristic points, a grid of control points is established. As you can see in the above image, from all the measures a certain point pattern arises. When this point pattern is compared with either another fingerprint, or in the case of a fingerprint reader with a users’ own fingerprint, the identity is confirmed – or not.
So why aren’t they secure if they are unique?
Everything seems perfect until you realize that your fingerprints are everywhere. By saying everywhere, I mean they are everywhere. The FBI has them in a database, they are stored within your biometric passport and photo ID card, and you leave them whenever you touch something (except if you are a professional con artist wearing gloves all the time).
So the pros of a fingerprint can easily be the cons at exactly the same time. Just imagine, everybody has access to your fingerprint, and the only thing you can’t do – is change it.
Exploiting the fingerprint
The interesting part here is how to cheat the fingerprint sensor. Back in 2002 a Japanese hacker demonstrated that he can do that with gummi bears. So basically what you need is gelatin and some liquid silicone. But technology has advanced now and new tech like 3D printers can model a glove with a copy of your fingerprints. As we’ve mentioned above, exploiting or misusing a fingerprint reader is not nuclear science and your prints are freely available from wherever you go.
In conclusion, a fingerprint is convenient, but not a secure type of data protection. If you want to use it after all we recommend to use it in combination with two factor authentication. It’s OK to lock your phone with it, but not any kind of sensitive information.