Is Your Fingerprint-Locked Cell Phone Really Secure?

NEW YORK CITY, NY — What could be more secure than a state-of-the-art fingerprint sensor to lock your phone? As anyone can tell you, everyone's fingerprint is unique, like little snowflakes on our hands jam-packed with impenetrable biometric individuality. Or so we thought.

A new study from New York University publicized Tuesday casts doubt on the security of smartphone fingerprint sensors. A team led by Nasir Memon, a professor of computer science and engineering at NYU Tandon, found that these seemingly futuristic locks may be more vulnerable to hackers than most people assume.

While a fingerprint is unique, the authors point out that the small sensors on many phones do not capture the full print; they only match portions of a user's fingerprints. Many phones also allow users to record multiple fingerprints, meaning that anyone trying to break through the lock would have multiple fragments of as many as 10 separate fingerprints to attempt a match, which greatly increases the likelihood of a false ID.

"Not surprisingly, there's a much greater chance of falsely matching a partial print than a full one, and most devices rely only on partials for identification," Memon said.

If a cell phone can be easily unlocked, it becomes more valuable to thieves. And anyone who could break the lock could potentially have access to all kinds of personal information on an individual's phone, including bank accounts, credit cards, work information, private emails or other documents.

The authors speculated that a "MasterPrint" could be created that would trick many or most fingerprint-secured phones into allowing access. Some hackers already use a similar method for simple four-digit pass codes.

"About 4 percent of the time, the password 1234 will be correct, which is a relatively high probability when you're just guessing," said Memon.

By examining 8,200 partial fingerprints, the researchers discovered 92 masterprints per 800 randomly selected prints. These "masterprints" could match at least 4 percent of the other prints in the sample.

Even more worrying, however, was what the researchers did next. Algorithmically analyzing these "masterprints," the researchers developed synthetic prints that could be used to hack into a significant portion of fingerprint-secured phones.

These "synthetic MasterPrints" could reportedly match between 26 and 65 percent of users. And the more fingerprints were stored in the phone, the more likely it was that the MasterPrints would find a match.

And if New York University researchers can do it, there's a good chance more malicious actors could as well. So what can people do to protect their phones and their data?

One tip would be to use numeric locks instead of fingerprints. However, users should avoid simple four-digit codes such as 1234, which can easily be guessed; using six-digit codes is more secure.

If you do use fingerprint-based locks — because it really is convenient — this research suggests you're safer using fewer, rather than more, fingers. Try sticking with either one or two thumbs.

Smartphone companies can help increase security on their end as well.

"As fingerprint sensors become smaller in size, it is imperative for the resolution of the sensors to be significantly improved in order for them to capture additional fingerprint features," said Arun Ross, professor of computer science and engineering at Michigan State University and co-author on the study. "If resolution is not improved, the distinctiveness of a user's fingerprint will be inevitably compromised. The empirical analysis conducted in this research clearly substantiates this."

NYU Tandon's Aditi Roy, a postdoctoral fellow and another co-author, noted that this work was all performed in a simulated environment, and real-work attempts may face additional challenges. The team used "minutiae-based matching" to conduct its research, and some smartphone manufacturers may use different systems. However, Roy argues that the potential security risks discovered in this study suggest we should rely more on multi-factor authentication measures.

Photo by Justin Sullivan/Getty Images News/Getty Images