Fingerprint scanner on a smartphone – how reliable it is

Even 20 years ago, few people wondered why a fingerprint scanner was needed, and today it is present on many smartphones released after 2014. Agree, it is convenient to unlock the device, confirm purchases in online stores or open accounts in online services with one touch.

But are fingerprint scanners on smartphones reliable from the point of view of information security? Let’s figure it out.

How hackers hacked the iPhone 5S — a breakthrough in the field of biometrics

On September 20, 2013, sales of the iPhone 5S — the seventh-generation iPhone device with a Touch ID biometric scanner, which became a real breakthrough in biometric authentication — began. It is noteworthy that a year earlier, Apple Corporation purchased Authentec, a company specializing in computer security, identity management and the production of biometric scanners, for $356 million..

At the time, it was the first smartphone to have a biometric scanner. It was assumed that its presence would reliably protect the information on the device from hacking.

However, within a few days, a group of German hackers published step-by-step instructions for breaking Touch ID. The essence of their method was to attach to the scanner a facsimile taken from a photograph of the owner’s fingerprint. The print itself can technically be removed from a window or glass and slightly corrected in Photoshop.

First, the print was photographed in high resolution (2400 dpi) and printed on thick paper, cardboard (1200 dpi), then filled with latex (or ordinary carpenter’s glue) and waited for drying. The separated form, put on the finger of the attacker, was perceived by the sensor as the finger of the real owner. It turned out that the scanner can be fooled using a dummy.

This did not prevent the company from continuing to release models with a biometric scanner and had little effect on further sales of the iPhone 6, iPhone 6 Plus, iPhone 6s, iPhone 6s Plus and other company devices. At most, the trend has been picked up further by all smartphone manufacturers, continuing to discover and improve new technologies to overcome the shortcomings of previous versions.

User concerns about biometric security

Sending a printout to the server

Almost immediately after the sale of the first devices and the scandalous story with the Touch ID hack, Apple was accused of sending fingerprint scans to servers where they could be stolen by fraudsters. However, the company was able to refute this accusation, since a pair of keys is created with cryptographic encryption in mind when the fingerprint is saved. Next, a special chip inside the device is used to store and match the print. And only the corresponding encrypted cryptographic key is transmitted to the server, which cannot be used to reproduce the image itself.

Note. Digital forensics experts can still either get a fingerprint from the smartphone’s memory using specialized software, or bypass the phone’s protection despite the user’s fingerprint lock.

Severed finger to break

Almost immediately after the presentation of the iPhone 5S, many potential buyers began to express fears that thieves will begin to cut off the owners’ fingers in order to unlock their devices. However, Sebastian Tavo, director of technology at Validity Sensors, assured that the RF capacitive sensor technology takes into account a number of indicators (humidity, temperature, etc.). Therefore, a severed finger will not work as a key.

Types of biometric scanners and their reliability

The surface of the finger pad not only has a unique papillary pattern woven from the configuration of ridges, depressions, pores on the surface of the skin, but also has thermal and electrical characteristics. This means that light, heat, electricity, and ultrasound can be used to obtain a fingerprint. Today, fingerprint scanners used on personal devices can be divided into three main groups:

• optical — receive a print with the help of light;
• semi-conductors – receive a print using electricity or heat;
• ultrasonic — receive a three-dimensional impression with the help of sound.

Let’s consider their advantages and disadvantages.

Optical scanners

Optical scanners

An optical scanner is usually installed on OLED displays. It works like a camera: when applying a finger, the area of the scanner is illuminated and the reflection of light from the finger falls on the photosensitive matrix, where it is further transformed into a digital image.

Advantages of optical scanners:

• They can be installed directly under the touch screens of user devices, which is very convenient to use.

Disadvantages:

• the speed of the scanner directly depends on the resolution of the matrix;
• work with two-dimensional images, and light is reflected equally both from the skin and from another surface, so optical devices are easier to deceive;
• the stability of their work depends very much on the cleanliness and moisture of the finger;
• sometimes the reader does not work well with a protective glass or protective film on the screen.

Capacitive scanners

Semiconductor scanners

There are several types of semiconductor scanners (thermal, radio frequency, capacitive, pressure sensors). But most of them (except capacitive) are usually not used in smartphones due to serious disadvantages – high price, bulkiness, unstable work with the image, tendency to wear out quickly (in particular, sensors pressure). Therefore, we will consider the most common of them – capacitive scanners.

Capacitive scanners made on the basis of a silicon plate containing microcapacitors located in a matrix. The scanning itself is based on changing the charge of the capacitors when touching the surface of the finger. And since the width of the papillary ridge is about 450 μm, and the capacitor modules have a size of 50 × 50 μm, such scanners read the print quite accurately, capturing minimal differences in the papillary pattern.

Advantages of capacitive scanners:

• low cost;
• the highest speed of information processing compared to other types of scanners;
• accuracy and reliability of work;
• works effectively even if the surface of the finger is dirty or dry.

Disadvantages:

• it is impossible to install a capacitive scanner under the screens of personal devices;
• in order to make the device cheaper, manufacturers use more budget versions of scanners, and their resolution is low, so they can be tricked with dummies;
• for the scanner to work without failures, to be more durable, to be more protected against dummies (work with a higher resolution), it is better to use capacitive scanners on separate, remote devices.

Ultrasonic scanners

Ultrasonic scanners

Such devices work according to the principle of an ultrasound scanner. The device sends imperceptible ultrasonic signals to the surface of the finger. They push away from him and return to the scanner, which recognizes the image in a three-dimensional projection.

Advantages of such a device:

• high accuracy and reliability of reading even with contamination;
• no need to touch the device;
• the device can be installed not only under glass, but also anywhere on the device, since signals pass through many surfaces;
• it is impossible to fool such a scanner with a dummy.

Disadvantages:

• the development of technologies is still in the process of improvement and has not been widely implemented;
• high price for such devices.

Despite the shortcomings of the devices, they can be called reliable due to the impossibility of forging a fingerprint.

Which scanners are the most reliable?

We have listed in our article the most popular fingerprint scanners today, all of them have advantages and disadvantages. But in order not to choose between high price and quality, we offer an alternative option – YubiKey capacitive security keys of the Bio series with a fingerprint sensor.

YubiKey Bio

Their advantages:

• high-quality devices are practically not subject to wear and tear thanks to a reliable reinforced case without insertable or removable parts;
• they have a level of protection against dust and moisture IP68 — that is, they can be underwater at a depth of up to 1 meter or fall into sand and then continue to work as if nothing had happened;
• the fingerprint is stored on the chip and is not transmitted to the server; at the same time, unlike smartphones, the device is completely protected from reading and copying, therefore, the information on them cannot be read by any specialized means (there are simply no hidden or open folders for reading as on personal devices);
• the YubiKey Bio security key works with thousands of sites where you can potentially replace password login with fingerprint login or use the key for two-factor authentication; for this, the device supports all necessary protocols: FIDO2, FIDO U2F;
• YubiKey keys of the Bio series have two types of form factors: USB-A, USB-C, so they can be used not only for smartphones, but also for other personal devices.

Find more information or order the device described above you can here. If you need a consultation, call: +38 (044) 35 31 999