Fingerprint authentication is a convenient alternative to passwords and PIN codes. Who wants to spend time typing in a lengthy string of numbers, letters and characters when a simple tap will suffice?
Unfortunately, that convenience comes at a cost. Because, unlike a regular password, you leave your fingerprint on taxi doors, iPhone screens, and glasses of wine at your local restaurant.
In this article, the Kraken Security Labs Team demonstrates just how easy it is for malicious actors to bypass your favorite login method.
Stealing the Fingerprint
To compromise your device or account, we don’t even need direct access to your fingerprint. A photo of a surface you’ve touched (from a table at the local library to the equipment at your nearest gym) will do.
With this photo at our disposal, an hour in Photoshop yields a decent negative:
Next, we’ll print the image onto an acetate sheet with a laser printer — the toner creates a 3D structure of the fingerprint on the sheet.
For our final step, we add some wood glue on top of the print to bring to life a fake fingerprint that we can use on a scanner.
Launching the Attack
With the fingerprint in hand, all we need to do is place it on the scanner.
We were able to perform this well-known attack on the majority of devices our team had available for testing. Had this been a real attack, we would have had access to a vast range of sensitive information.
Protecting Yourself From the Attack
A fingerprint should not be considered a secure alternative to a strong password. Doing so leaves your information — and, potentially, your cryptoassets — vulnerable to even the most unsophisticated of attackers.
It should be clear by now that, while your fingerprint is unique to you, it can still be exploited with relative ease. At best, you should only consider using it as second-factor authentication (2FA).
Strong password > fingerprint > weak password