It seems a day can’t go by without a story in the news about hacking. As more and more of our personal and business lives are transacted online, the internet has become the attack vector of choice for many criminals and other bad actors attempting to steal valuable personal information or company IP. This increase in hacking makes smartphones and PCs highly attractive targets for cybercrime. This, in turn, has led to the use of fingerprint sensors as a means to properly identify a device’s legitimate user.
However, lots of misinformation swirls about the fallibility of fingerprint sensors. As a result, it’s come time to examine the facts about fingerprint sensors and the erroneous belief that they can be easily hacked.
1. It’s easy to spoof a fingerprint.
Not true. Despite what you see in the movies or in security demos, spoofing a fingerprint by taking a high-resolution photo or recovering a latent print is very difficult. This method is called an “attack spoof” and is logistically challenging. Very few criminals would use this method, and typically only on an extremely high-value target, not your average consumer.
One reason this #1 myth persists is that creating a spoof is easy to demonstrate if the target is a willing participant. With practice and patience, you can create a spoof of your own fingerprint by carefully creating a mold from a number of substances, such as glue and clay. But even that isn’t trivial, and new anti-spoofing algorithms constantly make it more challenging.
2. Optical sensors are less secure than capacitive sensors because they store the actual fingerprint image.
Not true. A smartphone or PC that observes basic privacy and security principles never stores a complete image of your biometric information. It converts the information into a “template,” where certain parameters are retained and the rest are thrown away. The template is then encrypted when the abstracted data is stored.