Fingerprint sensors have been a common feature on smartphones for quite a while now. Apple introduced Touch ID on the iPhone 5S back in 2013, and since then, it has been included in 12 major iPhone models as well as some iPads. However, after the iPhone 8, Apple phased it out in most models, save for the iPhone SE series. Meanwhile, almost all Android phones currently come equipped with fingerprint scanners. But is it really possible to bypass such a system? Frank from Diarton, Michigan, posed this question, and I think it’s a valid concern that we should explore.
To clarify what Frank is asking: “Can I hack into my website using password and fingerprint protection?” I understand your worry, Frank. While fingerprint scanners do rely on actual fingerprints, making them harder to bypass, they’re not foolproof. Generally, they offer more security than passwords or face recognition, yet there are still various ways for malicious actors to compromise one’s identity.
How Hackers Can Bypass Fingerprint Scanners
There are quite a few tactics that hackers might employ to circumvent fingerprint scanners. Here are five notable methods:
1. Masterprint and Deep Masterprint
Hackers can create what’s known as a “masterprint,” a type of fingerprint designed to match multiple individuals’ prints. Researchers at NYU Tandon have even developed “DeepMasterPrints,” which utilize machine learning to fabricate synthetic fingerprints that can trick scanners by mimicking common patterns. These artificial prints can be remarkably similar to many stored fingerprints, particularly on devices with strict security settings.
2. Forged Fingerprints Using 3D Printing
Another method involves hackers producing fake fingerprints. This is often done by lifting a print from objects you touch and creating a mold, possibly with fabric glue or 3D printing technology. For instance, a Cisco Talos researcher has experimented with different 3D printing methods on various devices, including iPhones and Samsung smartphones. Surprisingly, these counterfeit fingerprints worked about 80% of the time, managing to fool the sensors at least once. Interestingly, they struggled to bypass the biometric systems on Windows 10 devices, but that doesn’t necessarily mean those systems are more secure.
3. Brute Force Attack Through Deadly
In a surprising twist, an attacker discovered a relatively inexpensive brute force approach to bypass fingerprint authentication. Known as “brute print,” this technique exploits unknown weaknesses in the fingerprint system. It uses hardware-based attacks to intercept fingerprint data between the sensor and the device’s secure area, allowing the attacker to try multiple fingerprint images until a match is found. The silver lining? This requires physical access to the device.
4. Side-Channel Attacks Using PrintListener
Another sophisticated method involves a side-channel attack called PrintListener, where hackers listen to the sound of a finger swipe across the screen to glean fingerprint features. While that seems like something out of a science fiction story, researchers are already testing concepts that could allow such attacks to become a reality.
5. Utilizing Unsecured Fingerprint Data Storage
Some devices fail to encrypt fingerprint data properly. When attackers manage to access this unguarded information, they can recreate fingerprints and breach authentication systems. For example, in 2024, a server mishap resulted in nearly 500 GB of sensitive data being leaked, including fingerprints, face scans, and personal details.
Can You Really Trust Your Fingerprint Scanner?
Using a fingerprint scanner can certainly make it easier to unlock your device, all while seeming quite secure. Since everyone’s fingerprints are one-of-a-kind, there’s no need to memorize complex passwords. Most modern devices keep fingerprint data in secure areas and use techniques like live detection to prevent trickery with fake fingers. Still, no security system is without flaws. Skilled attackers have figured out ways to get past fingerprint scanners, often exploiting weaknesses in how these systems communicate with devices. The level of risk largely hinges on how well a scanner is built and how much determination an attacker possesses. For everyday users, fingerprint authentication generally offers a quick and sufficient layer of security, but for those handling sensitive data, it might be wise not to rely solely on biometrics.
Ways to Protect Your Fingerprint Data
Here are some essential steps to consider for securing your biometric data:
1. Choose a Reliable Phone Brand. When purchasing a phone, opt for well-known brands like Apple, Samsung, or Google. These companies typically implement extra protections for fingerprint data by storing it securely. Cheaper brands may lack these safeguards.
2. Keep Your Phone Updated. Regular updates fix security vulnerabilities that hackers can exploit. If prompted, install updates immediately; many devices allow you to set automatic updates as well.
3. Use Strong Antivirus Software. Installing robust antivirus applications can help detect malware that may threaten biometric storage. Comprehensive antivirus solutions can offer real-time threat detection, privacy features, and defend against unauthorized access to your fingerprint data.
4. Don’t Rely Solely on Fingerprints. While using fingerprints is convenient, they should not be your only line of defense, especially for sensitive apps like banking. Always set additional security measures, such as PINs or passwords.
5. Be Cautious Who Handles Your Phone. If you’re letting others use your phone, especially acquaintances or strangers, be aware they might potentially copy your fingerprints from the screen. Limiting who has access to your device can help mitigate this risk.
6. Use Fingerprint Login only with Trusted Apps. Only use fingerprint login in applications from reliable developers, such as banks or established email providers. If an unfamiliar app asks for fingerprint access, it’s better to use a password.
Ultimately, while passwords are easier to hack than biometric data, they can be changed. You can’t just change your biometric traits. Most modern devices support both authentication methods, often complementing one another. Biometric security offers an additional layer, making unauthorized access a bit harder but not impossible.
