Security Experts:

Connect with us

Hi, what are you looking for?


Identity & Access

Cisco Research Shows High Success Rate in Bypassing Fingerprint Authentication

Cisco has conducted a research project on bypassing fingerprint authentication systems and it achieved a success rate of roughly 80 percent, but the company’s experts were unsuccessful against Windows devices.

Cisco has conducted a research project on bypassing fingerprint authentication systems and it achieved a success rate of roughly 80 percent, but the company’s experts were unsuccessful against Windows devices.

Many companies advertise biometric authentication as a more secure alternative to the traditional password. Fingerprint authentication is currently the most common, being used for smartphones, laptops, and other types of devices, such as padlocks and USB drives.

The analysis conducted by Cisco’s Talos threat intelligence and research group involved collecting a fingerprint directly from the targeted user or from a surface touched by the victim. They then used a 3D printer to create a mold of the fingerprint, and created a fake fingerprint by filling the mold with low-cost fabric glue. Researchers decided to set a relatively low budget for this project in an effort to determine what a threat actor with limited resources could achieve.

Cisco Talos tested their fake fingerprints against optic, capacitive and ultrasonic sensors, but the researchers did not find any major differences in terms of security. However, they noted that they achieved the highest success rate against ultrasonic sensors, which are the newest type of sensors, commonly found in devices that require an in-display sensor.

In the case of mobile phones, the researchers bypassed fingerprint authentication on a majority of devices. In the case of laptops, however, while they achieved a 95 percent success rate against a MacBook Pro, they could not achieve even a single successful bypass on Windows 10 devices that use the Windows Hello framework.

Talos researchers also tested their fake fingerprint against two encrypted USB thumb drives from Verbatim and Lexar, but they could not bypass authentication. Finally, they tested a padlock and achieved a high success rate.

They pointed out that while they could not bypass authentication on Windows and USB storage devices, it does not necessarily mean that they are much safer; only that a different approach might be required to crack them.

The conclusion drawn from this research is that fingerprint technology has not evolved to a point where it would be generally considered safe. In fact, the researchers believe fingerprint authentication on smartphones is actually weaker compared to 2013, when Apple introduced TouchID with the iPhone 5 and the system was first hacked.

“The results show fingerprints are good enough to protect the average person’s privacy if they lose their phone. However, a person that is likely to be targeted by a well-funded and motivated actor should not use fingerprint authentication,” Cisco Talos wrote in its report.

“For a regular user, fingerprint authentication has obvious advantages and offers a very intuitive security layer. However, if the user is a potential target for funded attackers or their device contains sensitive information, we recommend relying more on strong passwords and token two-factor authentication,” it added.

Related: Millions of Unencrypted Fingerprint and Facial Biometrics Found on Unsecured Database

Related: Flaw in Fingerprint Access Devices Could Make It Easy to Open Doors

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.