Fingerprint Sensors on Phones: Are They as Secure as They Claim?

Evolution of mobile devices has been overwhelming in recent years. Smartphones are getting increasingly powerful and computing devices are taking compact form factors. Identifying the need of on-the-go connectivity and processing, modern computing and communication scenarios is shifting towards mobility. Mobile devices with computing power have been around for a while, but the user experience they offered a decade ago, was not at par. Bulky PDAs with resistive touch screen and a mandatory stylus to operate them could not provide adequate user experience. These devices were expensive and captured only a limited market share. Tech firms had been trying to resolve the issue of on-the-go connectivity and mobile computing, but it was apple that led the way to a proper solution with the launch of its revolutionary device, the iPhone.

iPhone offered a friction-free way to interact with the device by employing a capacitive touch screen and optimizing its operating systems to take touch inputs with user fingertip without the need of a stylus or buttons. Success and popularity of iPhone steered other manufacturers towards iPhone like user experience. iPhone paved the way for mobile computing as we know it today. Apple’s approach with iPhone took over the world and it began a new era of smartphones. Before the launch of iPhone, PDAs with Windows Mobile OS and similar devices offered a less than adequate user experience and could never go as popular as the iPhone. Users needed a stylus to interact with these devices and the OSes were neither optimized nor user friendly as present day smartphone OSes.

Smartphones have become a personal data processing and communication hub these days. There are apps that leverage neural networks and processing power of cloud servers and users get end-result on his smartphone screen. Present day smartphones carry a lot of information that includes personal, professional and confidential information like financial data, payment cards information, etc. Now with the evolution of NFC payment methods like Apple Pay and Android Pay, it has become imperative to safeguard these devices from potential misuse.

Tech experts are trying to take user experience and security of smartphones to the next level by introducing newer ways to do things, identity authentication i.e. how your device recognizes you, is one of them. Smartphones are increasingly being used in accessing financial services and making payments, so along with personal and professional data, they contain sensitive financial information as well. Carrying so much information makes smartphones a target of fraudsters and hackers.

Mobile biometrics is an increasing trend these days that claims to offer convenience as well as security. Smartphone manufacturers are increasingly adding biometric recognition to mobile devices and fingerprint recognition is the most prominently used biometrics. Now even inexpensive smartphones include a fingerprint sensor in their specs sheet. While manufacturers are keen to bring more and more devices with biometric hardware, it has raised a security as well as privacy concern among users. Users often wonder if fingerprints provide better security than PINs or passwords or they are trading off convenience with security.

Introduction of fingerprint sensors on modern day smartphones came like a breeze to users. A touch of the finger and phone is unlocked! No need to remember and struggle with PINs, passwords or patterns. Fingerprint sensors became popular with the launch of iPhone 5s, however, they had made their way to phones back in 2007 when Toshiba launched its G500 and G900 phones with fingerprints sensors. Later Motorola launched its flagship device Motorola Atrix in 2011 with a fingerprint sensor. In the same year (2007) Apple launched its revolutionary iPhone but fingerprint sensors were introduced with Apple’s iPhone 5s model, which was launched in the year 2013. Industry trends in the last decade have shown that innovations do not get popular unless they are launched with an iPhone. It was super convenient to unlock phone with fingerprint unlike PINs or pattern lock, which took failed attempts and struggle to hide the screen while unlocking. Just a touch and there you go.

Convenience is all perfect, as good as we ever wanted, but what about security? Is it as great as convenience offered by fingerprint sensors on phones? You must have noticed that fingerprint sensor on your smartphone is quite smaller than the one in your office attendance systems. It is so small that it does not even cover full fingertip, still it does the job and recognizes your registered finger but not the one next to it. A full fingerprint is harder to spoof but unfortunately fingerprint sensors used on smartphones are usually smaller ones and set to extract and compare lesser numbers of fingerprint features to authenticate identity. On the other hand, fingerprint scanners used at high security applications scan full fingerprint and extracts comparatively larger number of fingerprint features, making it more immune against spoof attacks.

Fingerprint authentication system used on smartphones is based on partial fingerprint authentication, in which only a part of the finger is scanned and compared against the reference template. However, during the enrollment, your smartphone urges you to scan fingertip from all sides, so that later it can match whatever portion is scanned during the verification. Authentication systems based on partial fingerprints extract and compare lesser number of fingerprint features than full fingerprint authentication systems. Fingerprint authentication on mobile devices is as secure as manufacturers want them to be. Small sensors and partial fingerprint authentication are used to keep the device slim and compact as it adds up to the specification sheet of the product. Due to consumer demand of slimmer and compact devices, manufacturers tend to be more inclined towards smaller parts. Since expensive phones are expected to be slimmer and more compact, device makers too are left with no choice.

According to researchers at New York University and Michigan State University, fingerprint security in smartphones can be easily fooled by creating an artificial MasterPrint that includes common features found on fingerprints. This MasterPrint was able to unlock 65% smartphones and that is a very undesirable as well as frightening result. Marc Rogers, Principal Security Researcher at Lookout have already demonstrated that iPhone’s fingerprint security can be fooled with a fake fingerprint. Tech security firms and independent researchers that are challenging mobile biometrics are actually helping phone manufacturers to address these loopholes. Researchers at Michigan University has created a fake finger that has the optical, electrical, and mechanical properties of a real finger and can be used to test fingerprint scanners to make them harder to hack.

Fingerprint security is subjective. It also depends on the criticality of data on your phone. If data on your phone is crucial, for example financial information, data related to the national security, etc. you may need more security than just a fingerprint biometrics in current scenario. If data on your phone is mostly your favorite cat videos, fingerprints shall serve as an adequate security method. According to Counterpoint Market Research, more than 1 billion smartphones with ship with fingerprint sensor in the year 2018. This will present an opportunity as well as a security challenge for service providers and manufacturers.