Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Cisco Research Shows High Success Rate in Bypassing Fingerprint Authentication

Cisco has conducted a research project on bypassing fingerprint authentication systems and it achieved a success rate of roughly 80 percent, but the company’s experts were unsuccessful against Windows devices.

Cisco has conducted a research project on bypassing fingerprint authentication systems and it achieved a success rate of roughly 80 percent, but the company’s experts were unsuccessful against Windows devices.

Many companies advertise biometric authentication as a more secure alternative to the traditional password. Fingerprint authentication is currently the most common, being used for smartphones, laptops, and other types of devices, such as padlocks and USB drives.

The analysis conducted by Cisco’s Talos threat intelligence and research group involved collecting a fingerprint directly from the targeted user or from a surface touched by the victim. They then used a 3D printer to create a mold of the fingerprint, and created a fake fingerprint by filling the mold with low-cost fabric glue. Researchers decided to set a relatively low budget for this project in an effort to determine what a threat actor with limited resources could achieve.

Cisco Talos tested their fake fingerprints against optic, capacitive and ultrasonic sensors, but the researchers did not find any major differences in terms of security. However, they noted that they achieved the highest success rate against ultrasonic sensors, which are the newest type of sensors, commonly found in devices that require an in-display sensor.

In the case of mobile phones, the researchers bypassed fingerprint authentication on a majority of devices. In the case of laptops, however, while they achieved a 95 percent success rate against a MacBook Pro, they could not achieve even a single successful bypass on Windows 10 devices that use the Windows Hello framework.

Talos researchers also tested their fake fingerprint against two encrypted USB thumb drives from Verbatim and Lexar, but they could not bypass authentication. Finally, they tested a padlock and achieved a high success rate.

They pointed out that while they could not bypass authentication on Windows and USB storage devices, it does not necessarily mean that they are much safer; only that a different approach might be required to crack them.

Advertisement. Scroll to continue reading.

The conclusion drawn from this research is that fingerprint technology has not evolved to a point where it would be generally considered safe. In fact, the researchers believe fingerprint authentication on smartphones is actually weaker compared to 2013, when Apple introduced TouchID with the iPhone 5 and the system was first hacked.

“The results show fingerprints are good enough to protect the average person’s privacy if they lose their phone. However, a person that is likely to be targeted by a well-funded and motivated actor should not use fingerprint authentication,” Cisco Talos wrote in its report.

“For a regular user, fingerprint authentication has obvious advantages and offers a very intuitive security layer. However, if the user is a potential target for funded attackers or their device contains sensitive information, we recommend relying more on strong passwords and token two-factor authentication,” it added.

Related: Millions of Unencrypted Fingerprint and Facial Biometrics Found on Unsecured Database

Related: Flaw in Fingerprint Access Devices Could Make It Easy to Open Doors

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

Xage Security has appointed Russell McGuire as CRO and Ashraf Daqqa as VP of the META region.

Solana co-founder Stephen Akridge has been appointed the CEO of data protection firm Cyber Grant.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.