5.04.2017

Researchers Create Skeleton Keys for Fingerprint Sensors

Mobile Security Now Less Secure?


Researchers from New York University and Michigan State University published a research paper exposing a problem with using fingerprints to unlock cell phones. The researchers noticed that the sensors in cell phones don’t capture a full fingerprint, and have found a way to beat them. 

Some cell phones can capture fingerprints using a sensor, and if a scanned impression matches one on file, the phone unlocks. Phones can store more than one impression per fingerprint, or more than one finger, increasing the chance of a match. Even though a person’s complete fingerprint is unique, the researchers have identified enough common patterns to make a “Master print” that could unlock many phones.

“This research raises concerns, but fingerprints aren’t broken yet.”

The researchers made test prints from 8,200 partial fingerprints, which proved effective. Tests showed success rates up to 65 percent, and devices with more fingerprints stored unlocked more often. Phones will ask for a password after a few failures, so the researchers made five tries per fingerprint. This research raises concerns, but fingerprints aren’t broken yet. 

First, the research used a simulation, not an actual “key”. Such a key is at least a few years away, even with 3D printing. Second, each manufacturer’s fingerprint scanner is different. Right now, creating a true skeleton key would be almost impossible.

Users can protect themselves by taking fewer fingerprint impressions, using only one fingerprint, or by using a second factor like a password (but not a photo). Manufacturers can make improvements to the quality of their scanners, or by using a full fingerprint. For more details, read New York University’s press release here.