Consumers can be pretty lax about their online security.
About 4% of the time, the password to unlock a smartphone is 1-2-3-4, says Nasir Memon, a professor of computer science and engineering at New York University Tandon School of Engineering. And that’s a pretty high probability for just guessing, he says.
To help make it easier for consumers to protect data and personal information, many newer smartphones, such as the iPhone 6, can be locked with a fingerprint sensor, which is a form of biometric authentication. Other biometric identifiers include retina or facial features.
Because fingerprints are unique to each person and can’t be shared or guessed, they often are considered a more secure way to lock a smartphone, keeping sensitive information, such as payment data, protected.
A new study, however, conducted over the past year by the Tandon School of Engineering at NYU and Michigan State University College of Engineering, finds that fingerprints are more vulnerable than previously believed. The study analyzed 8,200 partial fingerprints and found that 11.5% of the partial prints had the same likelihood of unlocking a smartphone as the password “1-2-3-4.” The study referred to these vulnerable partial prints as “MasterPrints.” Partial fingerprints are a section of a fingerprint and not the entire print, and a MasterPrint is common partial print.
“The perception people have is that fingerprints are very secure,” Memon says. “What we are saying is that they are convenient to use but the security properties are not as understood.”
Typically, when a consumer sets up her newer smartphone she can store several fingerprints—such as her thumb and index finger fingerprints—and she taps each finger on the sensor multiple times to store it. What the smartphone is doing during this processing is saving several partial fingerprints. Because a smartphone’s sensor is not large enough to capture the entire fingerprint. Instead, it saves partial fingerprints, so no matter which part of the consumer’s finger taps the sensor, the device will unlock.
As a result, instead of the smartphones having one unique fingerprint, the device now has at least 10 correct partial fingerprints that will unlock the device. The more partial fingerprints a given smartphone stores for each user, the more vulnerable it is, Memon says. And once a criminal unlocks a smartphone, all the information stored on the device is up for grabs.
Another way to think about partial fingerprints and MasterPrints is if the phone unlocked by taking a picture of the user’s face. However, the phone only stored a portion of the consumer’s face and not the entire picture. The user takes multiple pictures of different sections of her face that would unlock the phone. The consumer’s face is unique as a whole, but just pieces of the faces are less unique and can match other sections. If there is a particular section of the face that can easily match another user, this would be the “MasterPrint.”
If a thief happens to have a MasterPrint, which is a common partial print, he has a 4% likelihood of getting his print to unlock the smartphone, the same as a “1-2-3-4” password, Memon says. However, the likelihood is actually higher than 4% because the consumer probably has many partial fingerprints saved on her smartphone and the criminal has five tries to unlock the phone. When factoring this in, a criminal’s chances of unlocking a device could be anywhere from 15% to 65%, Memon says.
While this is startlingly high, it’s only a problem if a consumer’s physical device is stolen and a thief has downloaded a public fingerprint database, identified a MasterPrint and physically created a fake fingerprint, such as via 3-D printing or a gummy-type product, Memon says. But once a thief unlocks a device and has the corresponding fingerprint, he can make purchases with all of the consumer’s saved payment credentials and approve any biometric-authenticated payments, such as Apple Pay and Android Pay. Plus, if a criminal creates a MasterPrint, there is nothing to stop him from selling the print, Memon says.
While smartphone manufacturers could make the fingerprint sensor bigger, this could cause device usability issues, Memon says. “We need better ways to design systems that use partial fingerprints,” he says.
Other biometric security measures, such as an iris scan (the Samsung Galaxy Note7 used this), are more secure than a fingerprint but are harder to use. For example, the iris scan doesn’t always work in low light and consumers may find it inconvenient to hold a smartphone up to their face as opposed to tapping a button on a device.