Security Experts:

Connect with us

Hi, what are you looking for?


Identity & Access

Cisco Research Shows High Success Rate in Bypassing Fingerprint Authentication

Cisco has conducted a research project on bypassing fingerprint authentication systems and it achieved a success rate of roughly 80 percent, but the company’s experts were unsuccessful against Windows devices.

Cisco has conducted a research project on bypassing fingerprint authentication systems and it achieved a success rate of roughly 80 percent, but the company’s experts were unsuccessful against Windows devices.

Many companies advertise biometric authentication as a more secure alternative to the traditional password. Fingerprint authentication is currently the most common, being used for smartphones, laptops, and other types of devices, such as padlocks and USB drives.

The analysis conducted by Cisco’s Talos threat intelligence and research group involved collecting a fingerprint directly from the targeted user or from a surface touched by the victim. They then used a 3D printer to create a mold of the fingerprint, and created a fake fingerprint by filling the mold with low-cost fabric glue. Researchers decided to set a relatively low budget for this project in an effort to determine what a threat actor with limited resources could achieve.

Cisco Talos tested their fake fingerprints against optic, capacitive and ultrasonic sensors, but the researchers did not find any major differences in terms of security. However, they noted that they achieved the highest success rate against ultrasonic sensors, which are the newest type of sensors, commonly found in devices that require an in-display sensor.

In the case of mobile phones, the researchers bypassed fingerprint authentication on a majority of devices. In the case of laptops, however, while they achieved a 95 percent success rate against a MacBook Pro, they could not achieve even a single successful bypass on Windows 10 devices that use the Windows Hello framework.

Talos researchers also tested their fake fingerprint against two encrypted USB thumb drives from Verbatim and Lexar, but they could not bypass authentication. Finally, they tested a padlock and achieved a high success rate.

They pointed out that while they could not bypass authentication on Windows and USB storage devices, it does not necessarily mean that they are much safer; only that a different approach might be required to crack them.

The conclusion drawn from this research is that fingerprint technology has not evolved to a point where it would be generally considered safe. In fact, the researchers believe fingerprint authentication on smartphones is actually weaker compared to 2013, when Apple introduced TouchID with the iPhone 5 and the system was first hacked.

“The results show fingerprints are good enough to protect the average person’s privacy if they lose their phone. However, a person that is likely to be targeted by a well-funded and motivated actor should not use fingerprint authentication,” Cisco Talos wrote in its report.

“For a regular user, fingerprint authentication has obvious advantages and offers a very intuitive security layer. However, if the user is a potential target for funded attackers or their device contains sensitive information, we recommend relying more on strong passwords and token two-factor authentication,” it added.

Related: Millions of Unencrypted Fingerprint and Facial Biometrics Found on Unsecured Database

Related: Flaw in Fingerprint Access Devices Could Make It Easy to Open Doors

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.