Fingerprint scanner is a popular security barrier which can be found in all sorts of high-end mobile devices that are currently on the market. It is fast and easy to use as an alternative to those hard-to-remember passwords, unlock mobile devices and apps, and even authorise card payments by simply tapping the screen of a device with your finger.
But is it secure? Apparently not as much as we would like to believe! According to a paper presented at a security conference in Los Angeles (November 2018), researchers from New York University were able to develop machine learning techniques for generating fake fingerprints, dubbed “DeepMasterPrints”, that can not only fool smartphone fingerprint sensors, but also successfully masquerade as fingerprints belonging to numerous other people in a biometric system that should only have an error rate of one in a thousand! And here’s the interesting but worrisome part – they were able to “spoof” these fingerprints without actually having any prior information about the real ones!
The researchers were able to achieve this by exploiting two key properties of a fingerprint-based authentication system. The first is that, due to the size of mobile devices, such as smartphones, the fingerprint sensors tend to be small in size and, therefore, these sensors obtain only partial images of a user’s fingerprint during the authentication process (i.e. use the image of whichever part of the user’s finger that is touching the scanner). Since small portions of a fingerprint are not as distinctive as the full fingerprint, an attacker only has to spoof a tiny portion of a victim’s fingerprint in order to be granted access to their device.
The second is that some features of fingerprints tend to be more commonly found than others. So a fake fingerprint that contains a lot of features commonly found in our fingerprints, when presented to a biometric scanner, it is more likely to match with a real fingerprint (especially as in the case of mobile devices, you only need a small portion of the fingerprint to match). This is where the researchers used machine learning techniques to extract the common features from a collection of real fingerprints (provided by 6120 people) and combine them to artificially generate a “master” fingerprint that looks convincingly like a real one (think of this master fingerprint as one of those keys that can unlock many doors in a hotel!).
The results published by the researchers indicate that this “master” fingerprint in its current design can only be used in a brute force type or random attack (without any guarantee of success though) rather than a targeted one. However, when used against many devices at scale, it could generate enough successes to be worth the effort. But it is still early days, and we can only assume that the techniques used will be improved upon over the coming years. It does however open a new chapter in the arms race between biometric authentication systems and fake biometrics that can fool them.
If you would like to know more about the design of the deep learning network that was used to generate the fake master fingerprints referred to in this article, here’s the link to the paper that was published by its creators.