As I’ve explained before, fingerprints are not the same as passwords.
- Your passwords can be kept secret. You leave your fingerprints lying around everywhere.
- You should have different passwords for everything you do. You only have ten fingerprints to choose from (if you have the typical allocation of hands).
- If the worst happens, you can always change your passwords. You can’t change your fingerprints. You’re stuck with them for life.
- You can forget your passwords. You always have your fingerprints on you.
- Your fingerprints aren’t easily guessable, as you never have one that’s the name of your favourite football team or something dumb like Fingerprint1.
So relying on fingerprints for your security clearly carries some risks.
The Samsung Galaxy S10 smartphone was released in early March to much fanfare. Among its features, Samsung bragged of “next generation vault-like security” with its ultrasonic fingerprint scanner fused directly into its front screen, that could even work when your hand was wet:
“Using ultrasonic pulses, it detects the 3D ridges and valleys of your fingerprint, so only you can access your phone. It’s secure and convenient — even allowing you to unlock, drag and hold to open the app you want.”
It sure sounds convenient, but “secure”? “Only you can access your phone”? These seem like bold claims…
And that certainly appears to have been the opinion of an Imgur user called “darkshark”, who has posted a video demonstrating how he was able to unlock a Samsung Galaxy S10 with a 3D copy of his fingerprint, captured from a photograph of a print he had left on a wine glass:
It took me 3 reprints trying to get the right ridge height (and I forgot to mirror the fingerprint on the first one) but yeah, 3rd time was the charm. The 3D print will unlock my phone…in some cases just as well as my actual finger does.
This brings up a lot of ethics questions and concerns. There’s nothing stopping me from stealing your fingerprints without you ever knowing, then printing gloves with your fingerprints built into them and going and committing a crime.
If I steal someone’s phone, their fingerprints are already on it. I can do this entire process in less than 3 minutes and remotely start the 3d print so that it’s done by the time I get to it. Most banking apps only require fingerprint authentication so I could have all of your info and spend your money in less than 15 minutes if your phone is secured by fingerprint alone.
Darkshark’s 3D-printed fingerprint wouldn’t have been successful at unlocking the capacitive resistors used in the fingerprint sensors of most mobile phones, including previous versions of the Samsung Galaxy.
If you’re keen to maintain your security and privacy, you might be wise not to rely on fingerprints alone to secure your devices.
As I have said before, the security of these systems depends entirely on the hardware difficulty of creating a working copy fingerprint. It is only a matter of time before someone finds a way of doing it quickly and economically (it looks as if they're pretty close to that in this case). The same argument can be used with any biometric authentication system – basically, I believe if it can be read, then (ultimately) it can be copied. I worry about the increasing proliferation of these systems, and the ignorance of the weaknesses of the supposed 'security' they provide.
Perhaps if you put the phone in your brain, it couldn't be stolen and abused! Mmmmm…..