4 Questions About Fingerprint Authentication Answered

For the first time in history, a smartphone appeared with the capability to authenticate you via fingerprint. The iPhone 5S, which came from the same company that popularized the smartphone in the first place, came with a fingerprint scanner on its “home” button. Not long after that phone was released, Samsung released the Galaxy S5 with its own take on fingerprinting. At this point, I’m fairly sure that more phones will be released with this capability, eventually making it a distinct feature that will be used in other areas, such as authentication into apps. Since we’re on the verge of a new trend, it’s as good a time as any to answer some questions about it.

1: Is Fingerprinting Safer Than Using a Password?

This is a terribly difficult question to answer, since it depends on what kind of matching process a particular application that connects to the Internet uses. For example, your device can tie your fingerprint to your password for a particular application so that your fingerprint data will be read on the device and the device will send the stored password upon finding a match. Allow me to describe the process in case I confused you:
  • Your device stores your password to an app and associates your fingerprint to that password.
  • You put your finger on the screen or home button to authenticate into an app.
  • The device sends the stored password to the app.
This process is kind of unsafe, since a password is still being used to authenticate into an app. The fact you’re not typing in the password yourself doesn’t make it any safer. Now, this presents the convenient advantage of allowing you to add other fingerprint associations to the same password (for example, giving your wife the ability to log in to your PayPal with her fingerprint). This means that the other person doesn’t have to memorize your password to enter the interface.
The only truly safe way to authenticate biometrically (via fingerprint, in other words) into an app is to have that app itself record your biometric data for authentication. This means that apps like PayPal can store your fingerprint. It’s also convenient, since you don’t have to be on one particular device to use your fingerprint to authenticate. The above process will have changed in this manner:
  • Your app stores an encrypted copy of your fingerprint on a secure server.
  • You put your finger on the screen or home button to authenticate.
  • The app authenticates you without receiving a password.
That could make you breathe a sigh of relief, until you consider the implications of having your fingerprint data stored in multiple locations.

2: Does Fingerprinting Expose Me?
Yes, it does. With the added security of fingerprinting comes the risk of exposing your fingerprint to people you might not want having this information. For example, your government could collect fingerprint data from major firms to construct its own registry. A hacker can also tap into the database containing your fingerprint and use that raw data to authenticate. You’re depending entirely on the security measures put in place to protect your fingerprint, if there are any.
Fingerprint detection and authentication is not a young technology. However, it is not exactly mainstream either. There’s no standardization of security protocols involved in making sure that the raw data you send is safely stored within a server. What makes fingerprints more secure from hacking than passwords, however, is their massive size and how difficult it is to decrypt them once encrypted without knowing the cryptographic key that would unlock all of this.
This is one of the reasons why biometric authentication on your smartphone is used only to unlock your screen for the moment. We still have a lot of kinks to work out and many lessons to learn.

3: Can Someone Cut Off My Finger To Impersonate Me?

This depends on what kind of sensor your smartphone uses. Chances are it will use a radio frequency (RF) sensor since it’s the least susceptible to contamination issues. Another advantage of RF sensors, though, is the fact that they also detect whether the finger pressed upon it is alive or not. If your fingertip is cold and dry (as it would be if it were detached), the sensor would not work. RF sensors read your fingerprint from the dermal layers beneath the outermost skin layer, making them not only highly accurate, but also reliable in making sure that a live finger is being pressed onto them.
This was an issue that was raised particularly when the iPhone 5S was released, and the supplier for the fingerprint sensors came out and said that this simply wasn’t possible. I suspect that other phone manufacturers will follow Apple’s example because of its feasibility and hardware portability.

4: Can Fingerprinting Be Bypassed Somehow?

Yes. Well, sort of…
There are YouTube videos of people doing this on an iPhone 5S. Here’s an example:

Anyone who really wants to get into your phone will have to create a template of your fingerprint. To do this, that person has to know which finger you use to authenticate into the phone. If you use something other than your index finger or your thumb, this will be particularly difficult.
Also, getting your fingerprint without having access to your actual finger is a very tedious process. Even if the person manages to get your fingerprint off of, say, a glass you were holding at a party, that’s the grease imprint of your finger. It’s not exactly enough to make a template with ridges and valleys. You’d be able to get past an optical sensor, but an RF sensor (or practically any other type of sensor) wouldn’t be fooled. Since phones tend to favor RF technology because of its easy implementation into screens and buttons, you won’t have to worry about someone using the fingerprint you left on a door handle to crack open your phone.
All you have to worry about is someone having access to your actual fingers. As a preventative measure, I’d suggest using a finger other than your thumb or index finger. Those two will be a perpetrator’s first targets. This is probably obvious but I’ll mention it anyway: Be wary of the company you keep around.