Biometrics authentication has been touted as the panacea to secure user authentication, and yet, it is time and again proven not to be foolproof. So passwords are not dead yet.
In November 2017, the Apple iPhone X Face ID (facial recognition) was tricked by a cheap US$150 3D printed mask, by some researchers in Vietnam.
And now, a user took 13 minutes to create a 3D printed fingerprint, and managed to trick the new Samsung Galaxy S10+ using a $450 3D printer.
The Samsung Galaxy S10’s in-display fingerprint sensor supposedly offers additional security compared to other fingerprint scanners in the market, but it still fell victim to a 3D-printed fingerprint. The embedded ultrasonic fingerprint scanner of the Galaxy S10 is capable of capturing the 3D contours of thumbs and fingerprints, compared to the 2D images taken by more traditional capacitive scanners.
The fingerprint bypass process started by taking a shot of the user’s fingerprint on the side of a wine glass. The picture went through imaging software to create a detailed 3D model, then passed to 3D printing software and the AnyCubic Photon LCD resin printer, which is accurate to about 10 microns.
It took the user three tries, but the third 3D-printed fingerprint, with a print time of 13 minutes, was capable of unlocking his Galaxy S10.
Matan Schaf, Senior Security Solutions Manager – Software Integrity Group, Synopsys Inc., commented on this:
“This is an excellent example of the inherent tradeoff between the comfort of not having to type passwords and the risk of having an authentication/authorization mechanism that lacks a revocation mechanism.
This is a serious concern because as the adoption of biometric identification grows and expands, the level of interest in the hacker community follows. We can expect these issues to become much more prolific if fingerprints will be widely adopted as a form of payment. This maker/hacker approach to circumventing biometric identification is not new.
A hacker by the name Jan Krissler demonstrated over 4 years ago how he could fake the fingerprints of the German defense minister Ursula von der Leyen using a photograph released by her PR office. It will be interesting to see the long term effects of these incidents, I suspect that the day is not far in which it will be a requirement to blur people’s hands in HD pictures on digital media/social media networks. In terms of an approach towards mitigation of such threats, we should consider the application of biometric identification on a case-by-case basis and make sure we couple the appropriate application with the right method.
In addition, the design of biometric solutions should be context-aware and include BI where applicable to reduce the risk of misuse or fraud in order to make it as difficult as possible for malicious agents to complete fraudulent transactions.”