Use of biometrics in unlocking smartphones has made the use of cell phones to be very convenient. Just a touch of a finger opens the phone without requiring to unlock by use of a password or pattern. You can also pay for shopping by use of a fingerprint if you use Android Pay or Apple Pay.
Prints are also being used by banks whereby the user requires to press his or her finger biometrics inside a banking app to either transfer money or pay for bills. Despite the convenience that is affected by such wizardly, there is still some left security gap holes that are left unfilled.
According to the findings that were published by researchers at Michigan State University and New York University, smartphones can be unlocked with fake biometrics that is digitally created by use of several standard features that are found in human fingerprints.
The researchers from the two universities managed to create an artificial Master Prints that matched with as much as 65% of the real human fingerprints.
However, the researcher did not use real phones to test the possibility of the master prints to work. Therefore, there could be a possibility that the artificial prints could not give the estimated results in real life situations.
In this case, the use of fingerprints to unlock smartphones still stand to raise questions about their effectiveness and the security hole that could be possible.
Commenting on this findings, Andy Adler, a professor of systems and computer engineering said that the results are not as worrisome as it is presently about the security in the smartphones. Professor Andy Adler is an expert in Biometric security systems at Carleton University in Canada.
Andy Adler continued that if one can get into 1 out of 10 phones to access some stuff, then those are not bad odds and cannot solely determine the insecurity level of biometrics in smartphones.
It is tough to fake full human biometrics, but the print scanners used in smartphones are too small to accommodate the entire human thumbprints hence subjecting them only to scan a section of it.
When you set up fingerprint security on your Apple iPhone or any other phone that uses Google’s Android systems, it takes over 8 sample images of your finger so that it can be easy to make a match when you place your finger to unlock it.
Moreover, some users may use more than one finger let us say the forefinger and the thumb of each hand. Since a swipe of a finger requires to match only one image, then there is a possibility for the system to be unlocked by use of falsified prints.
Commenting on the issue, Nasir Memon, a professor and expert of Computer science and engineering at New York University’s Tandon School of Engineering said to false the biometrics in smartphones is like having over 30 passwords and you only need to match at least one of them so that the phone can unlock.
Nasir Memon was among the three authors of the research study that was published in IEEE Translations on Information Forensics and Security. His co-authors include a professor of computer science and engineering at Michigan State, Arun Ross and a postdoctoral fellow at New York University’s Tandon School of Engineering, Aditi Roy.
Dr.Nasir Memon further said that they found that if one could come up with a magic glove containing MasterPrints, it could be possible to get into about 50% of iPhones within the allowed five trials before the smartphone requests for the numeric password. This password is commonly known as a personal identification number, and it is hard to fake it.
Responding to the findings, the Apple company spokesperson, Ryan James, said that the possibility of faking the iPhone fingerprints was 1 out of 50,000 smartphones if it is only one finger that was enrolled.
He continued to reveal that the firm had tested various possible attacks when it was developing the Touch ID system. He also said that the company incorporated several more security features to minimize the probability of falsifying the biometrics. Google did not comment on the matter.
It is difficult to quantify the actual risk. It should also be noted that Apple and Google keep almost all the useful details of their biometric technology secret.
Therefore, various Android Phone companies can employ the standard design used by Google in approaches that minimize the security levels.
Phone manufactures acknowledged that biometrics sensors in smartphones are not foolproof. They related the scenario with the indication that many users prefer turning on security features on their phones instead of leaving them unlocked as a result of the ease of touching a finger to unlock. They termed the instance a typical scenario in the early days of smartphones.
Dr.Ross acknowledged the limitations found in work saying that most of the phone vendors did not give them access to the fingerprint image. He continued that a spy or thief needed a lot of additional work to use Master prints to unlock a smartphone. He supported his comment by saying that one has to fake fingers to accomplish his or her mission.
The fundamental finding, in this case, was that there is a vulnerability in partial fingerprints that can be spoofed. Dr.Chris Boehnen supported the possibility of the finding saying that it was still significant. Chris Boehnen is the manager of the federal government’s Odin program.
The program is tasked with the duty of studying how to defeat biometric security attacks with the aim of gaining knowledge for the Intelligence Advanced Research Projects Activity.
Dr.Chris Boehnen continued to say that the primary concern in the issue is that one can pick a random smartphone only to find that the barrier to get into it is significantly low. Dr.Boehnen also said that phone makers could tighten the security by hardening the possibility to match partial fingerprints.
According to him, most phone companies are worried that the customer may be annoyed for having to put the finger against the phone for more than once than they are with a thief or spy getting into it.