Sign In

Communications of the ACM

ACM News

Attackers Can Bypass Fingerprint Authentication with an ~80% Success Rate

View as: Print Mobile App Share:
A fingerprint lock on a smartphone handset.

On average, fake fingerprints are able to bypass sensors at least once roughly 80% of the time.

Credit: Andri Koolme

For decades, the use of fingerprints to authenticate users to computers, networks, and restricted areas was mostly limited to large and well-resourced organizations that used specialized and expensive equipment. That all changed in 2013 when Apple introduced TouchID. Within a few years, fingerprint-based validation became available to the masses as computer, phone, and lock manufacturers added sensors that gave users an alternative to passwords when unlocking the devices.

Although hackers managed to defeat TouchID with a fake fingerprint less than 48 hours after the technology was rolled out in the iPhone 5, fingerprint-based authentication over the past few years has become much harder to defeat. Today, fingerprints are widely accepted as a safe alternative over passwords when unlocking devices in many, but not all, contexts.

A very high probability

A study published on Wednesday by Cisco's Talos security group makes clear that the alternative isn't suitable for everyone—namely those who may be targeted by nation-sponsored hackers or other skilled, well-financed, and determined attack groups. The researchers spent about $2,000 over several months testing fingerprint authentication offered by Apple, Microsoft, Samsung, Huawei, and three lock makers. The result: on average, fake fingerprints were able to bypass sensors at least once roughly 80% of the time.


From Ars Technica
View Full Article



No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account