Fingerprint scanner

on a smartphone —

how reliable it is

Fingerprint scanner on a smartphone – how reliable it is

Even 20 years ago, few people wondered why a fingerprint scanner was needed, and today it is present on many smartphones released after 2014. Agree, it is convenient to unlock the device, confirm purchases in online stores or open accounts in online services with one touch.

But are fingerprint scanners on smartphones reliable from the point of view of information security? Let’s figure it out.

How hackers hacked the iPhone 5S — a breakthrough in the field of biometrics

On September 20, 2013, sales of the iPhone 5S — the seventh-generation iPhone device with a Touch ID biometric scanner, which became a real breakthrough in biometric authentication — began. It is noteworthy that a year earlier, Apple Corporation purchased Authentec, a company specializing in computer security, identity management and the production of biometric scanners, for $356 million..

At the time, it was the first smartphone to have a biometric scanner. It was assumed that its presence would reliably protect the information on the device from hacking.

However, within a few days, a group of German hackers published step-by-step instructions for breaking Touch ID. The essence of their method was to attach to the scanner a facsimile taken from a photograph of the owner’s fingerprint. The print itself can technically be removed from a window or glass and slightly corrected in Photoshop.

First, the print was photographed in high resolution (2400 dpi) and printed on thick paper, cardboard (1200 dpi), then filled with latex (or ordinary carpenter’s glue) and waited for drying. The separated form, put on the finger of the attacker, was perceived by the sensor as the finger of the real owner. It turned out that the scanner can be fooled using a dummy.

This did not prevent the company from continuing to release models with a biometric scanner and had little effect on further sales of the iPhone 6, iPhone 6 Plus, iPhone 6s, iPhone 6s Plus and other company devices. At most, the trend has been picked up further by all smartphone manufacturers, continuing to discover and improve new technologies to overcome the shortcomings of previous versions.

Hackers hacked iphone 5s

User concerns about biometric security

Sending a printout to the server

Almost immediately after the sale of the first devices and the scandalous story with the Touch ID hack, Apple was accused of sending fingerprint scans to servers where they could be stolen by fraudsters. However, the company was able to refute this accusation, since a pair of keys is created with cryptographic encryption in mind when the fingerprint is saved. Next, a special chip inside the device is used to store and match the print. And only the corresponding encrypted cryptographic key is transmitted to the server, which cannot be used to reproduce the image itself.

Note. Digital forensics experts can still either get a fingerprint from the smartphone’s memory using specialized software, or bypass the phone’s protection despite the user’s fingerprint lock.

Severed finger to break

Almost immediately after the presentation of the iPhone 5S, many potential buyers began to express fears that thieves will begin to cut off the owners’ fingers in order to unlock their devices. However, Sebastian Tavo, director of technology at Validity Sensors, assured that the RF capacitive sensor technology takes into account a number of indicators (humidity, temperature, etc.). Therefore, a severed finger will not work as a key.

Types of biometric scanners and their reliability

The surface of the finger pad not only has a unique papillary pattern woven from the configuration of ridges, depressions, pores on the surface of the skin, but also has thermal and electrical characteristics. This means that light, heat, electricity, and ultrasound can be used to obtain a fingerprint. Today, fingerprint scanners used on personal devices can be divided into three main groups:

  • optical — receive a print with the help of light;
  • semi-conductors – receive a print using electricity or heat;
  • ultrasonic — receive a three-dimensional impression with the help of sound.

Let’s consider their advantages and disadvantages.

Optical fingerprint scanners

Optical scanners

Optical scanners

An optical scanner is usually installed on OLED displays. It works like a camera: when applying a finger, the area of the scanner is illuminated and the reflection of light from the finger falls on the photosensitive matrix, where it is further transformed into a digital image.

Advantages of optical scanners:

  • They can be installed directly under the touch screens of user devices, which is very convenient to use.

Disadvantages:

  • the speed of the scanner directly depends on the resolution of the matrix;
  • work with two-dimensional images, and light is reflected equally both from the skin and from another surface, so optical devices are easier to deceive;
  • the stability of their work depends very much on the cleanliness and moisture of the finger;
  • sometimes the reader does not work well with a protective glass or protective film on the screen.
olympus digital camera

Capacitive scanners

Semiconductor scanners

There are several types of semiconductor scanners (thermal, radio frequency, capacitive, pressure sensors). But most of them (except capacitive) are usually not used in smartphones due to serious disadvantages – high price, bulkiness, unstable work with the image, tendency to wear out quickly (in particular, sensors pressure). Therefore, we will consider the most common of them – capacitive scanners.

Capacitive scanners made on the basis of a silicon plate containing microcapacitors located in a matrix. The scanning itself is based on changing the charge of the capacitors when touching the surface of the finger. And since the width of the papillary ridge is about 450 μm, and the capacitor modules have a size of 50 × 50 μm, such scanners read the print quite accurately, capturing minimal differences in the papillary pattern.

Advantages of capacitive scanners:

  • low cost;
  • the highest speed of information processing compared to other types of scanners;
  • accuracy and reliability of work;
  • works effectively even if the surface of the finger is dirty or dry.

Disadvantages:

  • it is impossible to install a capacitive scanner under the screens of personal devices;
  • in order to make the device cheaper, manufacturers use more budget versions of scanners, and their resolution is low, so they can be tricked with dummies;
  • for the scanner to work without failures, to be more durable, to be more protected against dummies (work with a higher resolution), it is better to use capacitive scanners on separate, remote devices.
Ultrasonic scanners

Ultrasonic scanners

Ultrasonic scanners

Such devices work according to the principle of an ultrasound scanner. The device sends imperceptible ultrasonic signals to the surface of the finger. They push away from him and return to the scanner, which recognizes the image in a three-dimensional projection.

Advantages of such a device:

  • high accuracy and reliability of reading even with contamination;
  • no need to touch the device;
  • the device can be installed not only under glass, but also anywhere on the device, since signals pass through many surfaces;
  • it is impossible to fool such a scanner with a dummy.

Disadvantages:

  • the development of technologies is still in the process of improvement and has not been widely implemented;
  • high price for such devices.

Despite the shortcomings of the devices, they can be called reliable due to the impossibility of forging a fingerprint.

Which scanners are the most reliable?

We have listed in our article the most popular fingerprint scanners today, all of them have advantages and disadvantages. But in order not to choose between high price and quality, we offer an alternative option – YubiKey capacitive security keys of the Bio series with a fingerprint sensor.

Capacitive scanners yubikey

Their advantages:

  • high-quality devices are practically not subject to wear and tear thanks to a reliable reinforced case without insertable or removable parts;
  • they have a level of protection against dust and moisture IP68 — that is, they can be underwater at a depth of up to 1 meter or fall into sand and then continue to work as if nothing had happened;
  • the fingerprint is stored on the chip and is not transmitted to the server; at the same time, unlike smartphones, the device is completely protected from reading and copying, therefore, the information on them cannot be read by any specialized means (there are simply no hidden or open folders for reading as on personal devices);
  • the YubiKey Bio security key works with thousands of sites where you can potentially replace password login with fingerprint login or use the key for two-factor authentication; for this, the device supports all necessary protocols: FIDO2, FIDO U2F;
  • YubiKey keys of the Bio series have two types of form factors: USB-A, USB-C, so they can be used not only for smartphones, but also for other personal devices.

Find more information or order the device described above you can here. If you need a consultation, call: +38 (044) 35 31 999

How the YubiKey protects against brute-force attacks: technicalities of attacks and key encryption

How the YubiKey protects against brute-force attacks: technicalities of attacks and key encryptionBrute force attacks are one of the most common hacking methods. It is considered one of the simplest, because in fact, in order to start an attack, an attacker only needs...

What businesses need to know about information security – an overview of technical tools

Unauthorised access to personal information, financial accounts or trade secrets can cause a lot of damage. This can lead to large losses due to the loss of reputation and financial assets, violation of user privacy, etc. Therefore, every person, organisation, business or financial institution must take care of data protection.

What is multifactor authentication?

What is multifactor authentication? What is multifactor authentication and when is it appropriate to use it Account protection with the help of one factor – a complex password – ceased to be reliable about two decades ago. Therefore, network users are recommended to...

What is 2-Step Verification

What is two-step authentication?It is very unpleasant to imagine, even for a moment, a situation in which an outsider gains access to your personal account on a PC. After all, in this case, the attacker can: view personal correspondence; copy photos intended only for...

Ways to log in to the Windows OS without a password

Ways to configure passwordless login in the Windows OSWays to log in to the Windows OS without a password Access to the operating system account should be simple but secure. Especially if the device can be used by several other people – in an office, co-working space...

Two-factor authentication

Two-factor authentication Two-factor authentication In the modern world of computer tech, when it comes to information and personal data protection the use of passwords only is no longer reliable. It’s no secret, that even complex combinations of words, digits and...

Academic account security

Academic account security – checklist for developers, students, and teachers Academic Account Security – A Checklist for Developers, Students, and Teachers The education sector faces cyberattacks no less than other areas. Over the past 2 years from ransomware attacks...

How to choose a quality USB token or security key

What is a USB token and how to use itThe concept of a USB token Since protecting accounts with a login and password has long been outdated, back in the early 2000s, many manufacturers began to offer USB tokens as an alternative solution. These are hardware keys for...

New challenges and threats of modern cyberspace in the era of ChatGPT: how is the criminal’s portrait changing?

OpenAI introduced GPT chat version 3 in late 2022, based on large language models. He knew how to hold a conversation like a real person, communicate in many languages, pass exams, write software code and even blog. Already after 2 months, the number of his supporters...

Is the password-free world real?

Is the password-free world real? Is the password-free world real? There have been talks about a passwordless future for a long time, but for a long time many companies were not yet ready to switch to new technologies. They had questions about security,...