Your smartphone fingerprint scanner is not as secure as you think

The fingerprint readers on our smartphones are not as secure as we are led to believe, researchers have discovered, after fooling the system with a set of 'masterprints' designed to look like several different prints at once.

Like how a master key is able to open many door locks, the synthetic fingerprints created by researchers at the New York University Tandon School of Engineering and Michigan State University College of Engineering can trick multiple scanners with a success rate of up to 65%.

At first, research team leader Nasir Memon wanted to create prints which would unlock a smartphone roughly as often as punching '1234' into the security screen does. According to Memon, "around 4% of the time, the password 1234 will be correct, which is a relatively high probability when you're just guessing."

But after discovering how fingerprint readers work, Memon and his team created so-called masterprints which worked between 25% and 65% of the time.

Fingerprint sensors are seen as a vital element of smartphone security. Quicker and less likely to be spied on by fellow commuters on a packed train, the technology is found on most flagship smartphones, including the iPhone 7 and new Samsung Galaxy S8.

The prints' success is down to how smartphone fingerprint readers work. Instead of mapping the entire print, they store multiple scans of different parts of the owner's finger; these partial scans are then cross-referenced when a finger comes into contact with the reader. If that bit of the finger matches enough of a stored scan taken at the same angle, the device will unlock. Memon believed a masterprint could be produced which has a pattern similar to several different people's prints at once, and thus could be used to unlock multiple phones.

Masterprints created with a 65% success rate

Memon and his colleagues analysed 8,200 partial fingerprints. Using commercially-available verification software they found an average of 92 potential masterprints for every randomly sampled batch of 800 partial prints. A masterprint was defined as one which matches at least 4% of the other prints in the batch, equalling the odds of a passcode being 1234. When looking at full prints, the odds of finding a match fell from one in 25 to one in 800. But that's OK, because most devices deal with the less secure partial prints.

An algorithm was then built to create synthetic partial masterprints and it was found these synthetic prints were more likely to fool a scanner than a real print which partially matches the one of the device's owner. With these partial prints, the team claim to be successful between 25% and 65% of the time. Additionally, phones which offer to store multiple partial prints – and give a user several attempts to log in – are more vulnerable.

Arun Ross, professor of computer science at Michigan State University, who also took part in the research, said: "As fingerprint sensors become smaller in size, it is imperative for the resolution of the sensors to be significantly improved in order for them to capture additional fingerprint features. If resolution is not improved, the distinctiveness of a user's fingerprint will be inevitably compromised. The empirical analysis conducted in this research clearly substantiates this."