Washington D.C. [USA], April 16 : People, please be careful while setting fingerprint-based security systems of your cell phone, as a study suggests that similarities in partial fingerprints may be sufficient to trick biometric security systems on smartphones.
According to researchers, the vulnerability lies in the fact that fingerprint-based authentication systems feature small sensors that do not capture a user's full fingerprint.
Instead, they scan and store partial fingerprints and many phones allow users to enroll several different fingers in their authentication system.
Identity is confirmed when a user's fingerprint matches any one of the saved partial prints. The researchers hypothesized that there could be enough similarities among different people's partial prints that one could create a "MasterPrint." The MasterPrint concept bears some similarity to a hacker who attempts to crack a PIN-based system using a commonly adopted password such as 1234, explained lead study author Nasir Memon from New York University Tandon School.
"About four percent of the time, the password 1234 will be correct, which is a relatively high probability when you're just guessing," said Memon.
Using commercial fingerprint verification software, they found an average of 92 potential MasterPrints for every randomly sampled batch of 800 partial prints.
They found, however, just one full-fingerprint MasterPrint in a sample of 800 full prints. "Not surprisingly, there's a much greater chance of falsely matching a partial print than a full one, and most devices rely only on partials for identification," said Memon.
With their digitally simulated MasterPrints, the team reported successfully matching between 26 and 65 percent of users, depending on how many partial fingerprint impressions were stored for each user and assuming a maximum number of five attempts per authentication.
The more partial fingerprints a given smartphone stores for each user, the more vulnerable it is..