The Foibles of Fingerprints

by Steve Hoffenberg | 11/29/2013

When Apple announced the iPhone 5s in September 2013, much of the popular press hailed the device’s inclusion of fingerprint sensing (dubbed Touch ID) as a major breakthrough in mobile security. The more astute journalists pointed out that Motorola had brought to market fingerprint scanning in the Atrix 4G handset back in February 2011, more than two and a half years earlier. As an owner of the Atrix 4G since its early days, I can provide some insight into the real-world ups and downs of using a fingerprint scanner on a daily basis, although the proliferation of fingerprint devices presents greater security concerns.

In terms of usability, the fingerprint method clearly surpasses PIN or password or pattern input as a way to unlock a mobile handset, particularly when it’s a function that gets executed dozens of times a day. It’s one of the reasons that I have hung on to the Atrix 4G as one of my phones for this long.

FingerprintSensorMotorola Atrix 4G fingerprint sensor

A couple of scenarios confound the Atrix 4G’s fingerprint recognition. One is short term changes in fingertip skin, such as from recently wet hands that distort the skin (an extreme example being “prune finger” from shower or bath) or otherwise cause moisture-related problems for the capacitive finger sensor. (In this type of sensor, the fingerprint image is generated by electrical rather than optical differences between ridges and troughs.)

Another problem appears to be seasonal, in that skin condition varies enough from summer to winter here in New England that I have to recalibrate the handset with a fresh set of print samples a couple of times a year. A device with more sophisticated pattern recognition algorithms and more powerful processing might be able to account for such variability, and perhaps the iPhone 5s is better than the Atrix 4G in that regard.

No doubt law enforcement uses more elaborate techniques for matching prints, but as a consumer device, the Atrix 4G does remarkably well, correctly recognizing my print more than 95 percent of the time on the first swipe (i.e. fewer than 5 percent false negatives). The likelihood of false positives, that is someone else’s finger successfully unlocking the phone, is effectively zero.

Sure, a determined attacker could poach a fingerprint from somewhere else and dupe it onto the sensor, as was widely publicized when a group of hackers successfully accessed an iPhone 5s that way only a few days after the product’s release. However, the odds of that actually happening to a phone in the wild are slim, as long as the handset maker doesn’t build the housing out of a glossy plastic that’s a fingerprint magnet. The odds are probably higher that an attacker would pick up a user’s PIN or password just by watching over the shoulder.

A much greater risk would be if hackers managed to distribute malware via an innocent looking app that uploads fingerprint data to a central server where it could be used for other nefarious purposes. Even if the fingerprint images stored on the handset (Data At Rest) are adequately encrypted, a smart enough attacker with the right level of access might be able to capture the raw data from the sensor as the finger is scanned (Data In Motion). Embedded devices of any kind that include fingerprint recognition need to be designed from the start to prevent such access. (Companies such as AuthenTec offer on-sensor encryption.) In addition to critical infrastructure like energy grid and transportation management, fingerprint sensors increasingly will appear in multi-factor authentication for broader embedded applications for financial transactions, building access, medical records, biotech laboratories, home security, and a range of consumer electronics products.

Theft of one person’s fingerprint would be an immense hassle for that individual but not a societal threat. A method of surreptitiously capturing prints from thousands or even millions of consumers could present a massive security nightmare, especially since those prints later could be employed on other devices for which a user has fingerprint access. All it would take to expose such a risk would be one consumer electronics manufacturer that shortcuts the design of one popular product to save a little on development time or BOM cost.

Users don’t have the option of resetting their compromised fingerprints as they do their passwords, and they don’t have the option of using different fingerprints to access different systems, at least not beyond the limit of two hands’ worth. Ironically, fingerprints may become less secure in the long run than other forms of authentication. In the meantime, I’m hanging onto my phone.