Researchers develop synthetic skeleton keys for fingerprint sensors

Those fingerprint-based security systems in your mobile phone might not be quite as secure as you wish they were. That’s the takeaway from just-published research by engineering researchers at New York University and Michigan State University.

NYU/MSU researchers started by noting that the small fingerprint sensors in your device typically don’t capture an entire fingerprint: they settle for partial fingerprints. What’s more, as MSU Today notes, many devices permit users to generate multiple partial impressions, and to enroll more than one finger:

Identity is confirmed when a user’s fingerprint matches any of the saved partial prints.

Every complete human fingerprint is commonly assumed to be unique. But what if partials were similar enough that they could generate a single “MasterPrint” which would successfully authenticate many individuals?

According to NYU’s press room, “the team analyzed the attributes of MasterPrints culled from real fingerprint images, and then built an algorithm for creating synthetic partial MasterPrints.” And their digitally simulated “synthetic partials” proved worryingly effective.

The team reported successfully matching between 26 and 65 percent of users, depending on how many partial fingerprint impressions were stored for each user and assuming a maximum number of five attempts per authentication.

Not surprisingly, vulnerability rates increased as devices stored more partial fingerprints for an individual user. As The New York Times reports:

Dr. Memon said their findings indicated that if you could somehow create a magic glove with a MasterPrint on each finger, you could get into 40 to 50 percent of iPhones within the five tries allowed before the phone demands the numeric password.

The researchers and their fellow academics have carefully noted several limitations of this research.

First, the researchers used simulators: they didn’t possess any “magic glove” to actually press a phone’s fingerprint sensor. Such fake “gloves” aren’t yet easy to create – but, as MSU Today notes:

improvements in creating synthetic prints and techniques for transferring digital MasterPrints to physical artifacts in order to spoof an operational device pose significant concerns.

Second, many aspects of fingerprint biometric systems are kept secret by their manufacturers and by the cellphone makers who implement them, and not all systems work exactly the same way. Some, like Apple’s, use complementary technological precautions that make them significantly more effective. According to The Times, Apple claims a rate of false positives of only 1 in 50,000 – assuming users only register one fingerprint, that is.

For all these limits, the finding that partials are spoofable is significant, according to Dr. Chris Boehnen, who manages the U.S. government’s IARPA (Intelligence Advanced Research Projects Activity) program on defeating biometrics.

This kind of research helps to identify areas where our security is weaker than we thought rather than practical forms of attack. They may come in time though and according to MSU Today, the research team is now investigating potential solutions for this vulnerability.

This could entail developing effective anti-spoofing schemes; carefully selecting the number and nature of partial impressions of a user during enrollment; improving the resolution of small-sized sensors to facilitate extraction of more discriminative features; developing matchers that utilize both minutiae and texture information; and designing more effective fusion schemes to combine the information presented by multiple partial impressions of a user.

Users can improve the effectiveness of their fingerprint authentication today by enrolling only one fingerprint impression, and by using it as one part of a two-factor authentication scheme where they can.

Oh, and remember, fake fingers aren’t the only way to compromise fingerprint security (as this enterprising six-year-old and her mother recently discovered)!