The Quest for the Universal Fingerprint

Published: 2017-05-04
Last Updated: 2017-05-04 21:50:58 UTC
by Rob VandenBrink (Version: 1)
2 comment(s)

Gebhard pointed us to an article at Heise, which reports that researchers are working towards a "universal fingerprint" - a master pattern (or small number of master patterns) that ring enough bells to unlock any of today's fingerprint readers.  They are currently have an approach that takes partial impressions and combines them until it "matches enough" to unlock a phone (or otherwise match a biometric reader) - essentially a dictionary attack against your fingerprint.   They are currently at a 65% success rate, but of course that can only get better. 

Their advice?  Get better readers (that can read depth of fingerprint patterns, add in heartbeat sensors etc), or combine multiple authentication mechanisms if your plan needs to account for attacks of this type.  I'd say nation-state attacks, but this sounds like it's something anyone who's reasonably funded and motivated could take on, especially after the research is formally published.

Add this to the well-known fact that once compromised, you cannot revoke your fingerprints, or change them either.  If a successful and simple fingerprint attack is possible, either we need to look at better fingerprint readers going forward, or this takes fingerprint authentication off the table entirely.

References:

https://www.heise.de/newsticker/meldung/Mit-Master-Fingerabdruck-Zugriff-auf-fremde-Smartphones-bekommen-3702411.html
https://www.heise.de/tr/artikel/Kuenstlicher-Fingerabdruck-entsperrt-fremde-Smartphones-3697183.html

===============
Rob VandenBrink
Compugen

Keywords:
2 comment(s)

Comments

"Add this to the well-known fact that once compromised, you cannot revoke your fingerprints, or change them either."

And that is the heart of the issue, any item which can *not* be quickly and easily revoked or changed once it has been found to be compromised, such as biometrics, absolutely can *not* be used for authentication. At best, we can use them for identification, but not authentication.
Hi, any smartphone finger sensor != "any of today's fingerprint readers"

Diary Archives