Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Saturday April 11 2020, @07:05PM   Printer-friendly
from the just-put-your-thumb-here dept.

Attackers can bypass fingerprint authentication with an ~80% success rate:

Today, fingerprints are widely accepted as a safe alternative over passwords when unlocking devices in many, but not all, contexts.

A study published on Wednesday by Cisco's Talos security group makes clear that the alternative isn't suitable for everyone—namely those who may be targeted by nation-sponsored hackers or other skilled, well-financed, and determined attack groups. The researchers spent about $2,000 over several months testing fingerprint authentication offered by Apple, Microsoft, Samsung, Huawei, and three lock makers. The result: on average, fake fingerprints were able to bypass sensors at least once roughly 80 percent of the time.

The percentages are based on 20 attempts for each device with the best fake fingerprint the researchers were able to create. While Apple Apple products limit users to five attempts before asking for the PIN or password, the researchers subjected the devices to 20 attempts (that is, multiple groups of from one or more attempts). Of the 20 attempts, 17 were successful. Other products tested permitted significantly more or even an unlimited number of unsuccessful tries.

Tuesday's report was quick to point out that the results required several months of painstaking work, with more than 50 fingerprint molds created before getting one to work. The study also noted that the demands of the attack—which involved obtaining a clean image of a target's fingerprint and then getting physical access to the target's device—meant that only the most determined and capable adversaries would succeed.

"Even so, this level of success rate means that we have a very high probability of unlocking any of the tested devices before it falls back into the PIN unlocking," Talos researchers Paul Rascagneres and Vitor Ventura wrote. "The results show fingerprints are good enough to protect the average person's privacy if they lose their phone. However, a person that is likely to be targeted by a well-funded and motivated actor should not use fingerprint authentication."


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Interesting) by krishnoid on Saturday April 11 2020, @10:10PM

    by krishnoid (1156) on Saturday April 11 2020, @10:10PM (#981312)

    I mean, is there really a way to verify false positives and false negatives? At least with a password, if you press each key individually, you can confirm that you pressed all/only the keys you intended.

    With a fingerprint reader, it's not like you even get a green-on-black Hollywood picture of the scanned fingerprint and identiified points, with "AUTHORIZED" in all-caps and spoken in a pleasant-sounding woman's voice. And even in those cases, it's not like it *actually* reads anyone's fingerprint. So can you *ever* genuinely tell if they're doing something?

    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3