A joint team of researchers from New York University’s Tandon School of Engineering and Michigan State University’s College of Engineering are warning that the fingerprint biometrics now commonly used for mobile authentication may not be as unique as many believe.
Because smartphones use only partial fingerprints and often allow for multiple users’ fingerprint data to be stored, the researchers hypothesized that there could be sufficient overlap between the various biometrics to allow a stranger to access a device a certain percentage of the time. In a statement announcing the research, one member of the research team compared it to hackers guessing with the password “1234”, saying that it will prove to be the right password about four percent of the time.
The researchers proceeded to analyze 8,200 partial fingerprints. For every random batch of 800 partial fingerprints, the researchers say they found 92 samples whose biometric data overlapped with four percent of the other prints. They also created an algorithm to build synthetic versions of such “MasterPrints” that proved even more effective, with the researchers claiming that they used them to match between 26 and 65 percent of users.
There are some important caveats here, perhaps most notably that this research was done in a lab, not in the field. It also seems unlikely that a would-be hacker would go through hundreds of strangers’ phones on the off chance that they might happen to find a match. But the research does highlight the wisdom in the industry’s shift toward multimodal authentication, a move currently being led by Samsung with its new iris- and face-scanning smartphones, and with Apple reportedly planning to integrate facial recognition into its next iPhone.
April 11, 2017 – by Alex Perala