Don’t panic, spoofing is still more difficult than you think
Once again someone has found a relatively inexpensive way to spoof fingerprint scanners on mobile devices causing the biometric industry to get defensive and biometric haters to once again say that the technology isn’t secure.
Everybody needs to calm down and take a deep breath.
The latest spoof is from the Michigan State University where they took fingerprints, scanned them into a computer and used conductive ink with an ink jet printer to create replicas. The printed replicas were recognized when touched to the smartphone’s scanner. The video – posted below – shows the spoof happening on a Samsung Galaxy devices but I’m guessing the same thing is possible with a Touch ID-enabled iPhone.
Earlier this month a demonstration showed Touch ID being spoofed with Play-Doh as well. This shouldn’t be surprising, it took two days for hackers to come up with a way to fool Touch ID when it was released in 2013 and they had similar success when Samsung introduced fingerprint scanners to devices.
The common knock against biometrics is that they’re not private. Faces are out for the world to see and people leave fingerprints on just about everything they touch. This is true.
Early facial recognition systems were often spoofed by simply holding up photos of the correct individual. Biometric vendors have made attempts to fix this by requiring the person blink before a transaction is completed to prove that a photo isn’t being used.
Fingerprint biometrics – especially on mobile devices – pose a more difficult challenge when it comes to liveness detection. There are sensors out there and software that can help spot a fake or reproduced fingerprint but that adds cost and complexity.
But what’s left out of the discussion is the difficulty of recreating the fingerprints to use to fool the sensors in the first place. Even the Play-Doh spook requires an individual to hold their finger in the substance for a few minutes before the image is properly defined.
Capturing someone’s fingerprints without their knowledge and creating usable replicas is no easy feat. A spoofer would also have to know which finger or fingers are used to access the devices and then lastly, they have to get their hands on the device.
After jumping through all those hoops a spoofer would then be able to access an individual’s mobile device. But what is so important on the device to warrant all of that work? If someone is carrying around a company’s trade secrets or the nuclear launch codes on a mobile device secured with just a fingerprint there are larger security policy problems that need to be addressed.
My bank knows this. I can check my balances with a touch of my finger but in order to transfer money or pay bills I have to enter my password.
The not-so-dirty secret about fingerprints sensors on mobile devices is that it’s more about convenience than security. Touching your fingerprint to a sensor is infinitely easier then entering a four digit PIN, but in order to have true security, biometrics should be one authentication factor layered with others.
Biometrics aren’t a perfect security solution, rather they are one factor that can be used with an array of others to create a complete authentication and identity picture.