How Secure is Your Phone Fingerprint Scanner?

--

@author Randy Gingeleski

@since 01/18/2017

@see authentication

--

At some young age we learn that everyone has unique fingerprints. So trustworthy you can identify murderers with them.

And, more recently, unlock phones and mobile apps. Passwords, PINs, and patterns are inconvenient compared to the sub-second fingerprint scan. Plus less secure since our fingerprints are unique… right?

Not to your phone. Most users are unaware that their phones achieve this quick scan time by “dumbing down” their fingerprint.

Fully and accurately scanning fingerprints is a tricky business. There are classic engineering trade-offs.

Pick two of the following for full resolution fingerprint scans:

  • Cheap
  • Accurate
  • Fast

How does your phone seem to achieve all three? It unlocks based not off your full fingerprint, but a subset of markers within it.

Meaning someone with a fingerprint sort of like yours can unlock your phone. This is worrisome for people like me who had their fingerprint data stolen in the OPM hack of 2015.

This is why Google forces Pixel phone users (maybe this is a more general Android thing?) who rely on fingerprint unlocks to utilize an additional mechanism when first turning on their phone. But what are the chances of your phone being dead when a threat actor goes to access it?

For now, fingerprints aren’t God’s gift to replace passwords and PINs, if you’re serious about security. Pair one with a PIN, though, and I’d bet that’s better than a password.

Decide for yourself. Consider how sensitive the data on your phone is.

Most of it can probably be reached from a cloud account anyway. 💀