Cisco has conducted a research project on bypassing fingerprint authentication systems and it achieved a success rate of roughly 80 percent, but the company’s experts were unsuccessful against Windows devices.
Many companies advertise biometric authentication as a more secure alternative to the traditional password. Fingerprint authentication is currently the most common, being used for smartphones, laptops, and other types of devices, such as padlocks and USB drives.
The analysis conducted by Cisco’s Talos threat intelligence and research group involved collecting a fingerprint directly from the targeted user or from a surface touched by the victim. They then used a 3D printer to create a mold of the fingerprint, and created a fake fingerprint by filling the mold with low-cost fabric glue. Researchers decided to set a relatively low budget for this project in an effort to determine what a threat actor with limited resources could achieve.
Cisco Talos tested their fake fingerprints against optic, capacitive and ultrasonic sensors, but the researchers did not find any major differences in terms of security. However, they noted that they achieved the highest success rate against ultrasonic sensors, which are the newest type of sensors, commonly found in devices that require an in-display sensor.
In the case of mobile phones, the researchers bypassed fingerprint authentication on a majority of devices. In the case of laptops, however, while they achieved a 95 percent success rate against a MacBook Pro, they could not achieve even a single successful bypass on Windows 10 devices that use the Windows Hello framework.
Talos researchers also tested their fake fingerprint against two encrypted USB thumb drives from Verbatim and Lexar, but they could not bypass authentication. Finally, they tested a padlock and achieved a high success rate.
They pointed out that while they could not bypass authentication on Windows and USB storage devices, it does not necessarily mean that they are much safer; only that a different approach might be required to crack them.
The conclusion drawn from this research is that fingerprint technology has not evolved to a point where it would be generally considered safe. In fact, the researchers believe fingerprint authentication on smartphones is actually weaker compared to 2013, when Apple introduced TouchID with the iPhone 5 and the system was first hacked.
“The results show fingerprints are good enough to protect the average person’s privacy if they lose their phone. However, a person that is likely to be targeted by a well-funded and motivated actor should not use fingerprint authentication,” Cisco Talos wrote in its report.
“For a regular user, fingerprint authentication has obvious advantages and offers a very intuitive security layer. However, if the user is a potential target for funded attackers or their device contains sensitive information, we recommend relying more on strong passwords and token two-factor authentication,” it added.