SAN FRANCISCO • Fingerprint sensors have turned modern smartphones into miracles of convenience. A touch of a finger unlocks the phone - no password required. With services like Apple Pay or Android Pay, a fingerprint can buy a bag of groceries, a new laptop or even a million-dollar vintage Aston Martin. And pressing a finger inside a banking app allows the user to pay bills or transfer thousands of dollars.
While such wizardry is convenient, it has also left a gaping security hole. New findings by researchers at New York University (NYU) and Michigan State University suggest that smartphones can easily be fooled by fake fingerprints, digitally composed of many common features found in human prints. In computer simulations, the researchers were able to develop a set of artificial "MasterPrints" that could match real prints similar to those used on phones as much as 65 per cent of the time.
The researchers did not test their approach with real phones, and other security experts said the match rate would be significantly lower in real-life conditions. Still, the findings raise troubling questions about the effectiveness of fingerprint security on smartphones.
"It's almost certainly not as worrisome as presented, but it's almost certainly pretty darn bad," said Professor Andy Adler, a professor of systems and computer engineering at Carleton University in Canada, who studies biometric security systems. "If all I want to do is take your phone and use your Apple Pay to buy stuff, if I can get into one in 10 phones, that's not bad odds."
Full human fingerprints are difficult to falsify, but the finger scanners on phones are so small that they read only partial fingerprints. When a user sets up fingerprint security on an Apple iPhone or a phone that runs Google's Android software, the phone typically takes eight to 10 images of a finger to make it easier to make a match. And many users record more than one finger - say, the thumb and forefinger of each hand.
As a finger swipe has to match only one stored image to unlock the phone, the system is vulnerable to false matches.
"It's as if you have 30 passwords and the attacker only has to match one," said Professor Nasir Memon, a professor of computer science and engineering at NYU's Tandon School of Engineering, who is one of three authors of the study, published in IEEE Transactions On Information Forensics And Security. The other authors are Dr Aditi Roy, a postdoctoral fellow at Tandon School, and Professor Arun Ross, a professor of computer science and engineering at Michigan State.
Prof Memon said their findings indicated that if you could somehow create a magic glove with a MasterPrint on each finger, you could get into 40 per cent to 50 per cent of iPhones within the five tries allowed before the phone demands the numeric password.
Apple said the chance of a false match in the iPhone's fingerprint system was one in 50,000, with one fingerprint enrolled. Apple spokesman Ryan James said the firm had tested various attacks when developing its Touch ID system. Google declined to comment.
The actual risk is difficult to quantify. Apple and Google keep many details of their fingerprint technology secret and the dozens of companies that make Android phones can adapt Google's standard design in ways that reduce the level of security.
Professor Stephanie Schuckers of Clarkson University, who is director of the Centre for Identification Technology Research, was cautious about the implications of the MasterPrints findings. She said the researchers used a commercially available software program that was designed to match full fingerprints, limiting the broader applicability of their findings.
She noted that mobile-phone makers are studying anti-spoofing techniques to detect the presence of a real finger, such as looking for perspiration or examining patterns in deeper layers of skin. A new fingerprint sensor from Qualcomm, for example, uses ultrasound.
Still, the team's fundamental finding that partial fingerprints are vulnerable to spoofing is significant, said Mr Chris Boehnen, the manager of the United States federal government's Odin programme, which studies how to defeat biometric security attacks as part of the Intelligence Advanced Research Projects Activity. "What's of concern here is that you could find a random phone, and your barrier to attack is pretty low," he said.
Phone makers could easily increase security by making it harder to match the partial fingerprint, he said, "but the average phone company is more worried about you being annoyed that you have to put your finger against the phone two or three times than they are with someone breaking into it".
Adding a larger fingerprint sensor would also decrease the risk, Mr Boehnen said. And some newer biometric security options, such as the iris scanner in Samsung's new Galaxy S8, are harder to fool.
Prof Memon said that, despite his research, he was still using fingerprint security on his iPhone.
"I'm not worried," he said. "I think it's still a very convenient way of unlocking a phone. But I'd rather see Apple make me enter the PIN if it's idle for one hour."