From Photos to Fingerprint Counterfeits: Understanding Security Risks and User Perception Shifts in Smartphone Authentication
Fingerprint verification is a widely used authentication method for smartphones, even for financial services – the majority of banks in the Czech Republic support fingerprint authentication for their mobile banking applications. Although this method is popular and often perceived as highly secure, it does not provide absolute security. Similar to all authentication methods, fingerprint verification also has its limitations. This contribution focuses on the vulnerability of fingerprint authentication to spoofing by inexperienced impostors, who can create fake fingerprints from photos, such as a 'thumbs-up' photo posted on social networks like Instagram by the victims themselves.
This contribution presents study investigating the security vulnerabilities of smartphone fingerprint readers, focusing on their susceptibility to being spoofed using counterfeits created from finger photos. Both technical and social aspects were explored. Over a two-year period, some of the 370 participants with little experience were able to create high-quality physical counterfeits from glue or silicone that could either unlock smartphones or be registered as valid fingerprints. We found that fingerprint spoofing is a real, though not widespread, threat to smartphones, primarily affecting optical scanners.
Regarding social aspects, participants' perceptions of fingerprint security shifted inconsistently. While they were less likely to use fingerprint authentication for banking services, they generally underestimated the associated threats. The results highlight the importance of developing more secure fingerprint sensor technologies and increasing user awareness of potential vulnerabilities and related threats.
Agáta Kružíková
Agata Kruzikova received her Bachelor's degree in Social Informatics, Master's degree in Computer Science, and Ph.D. in Informatics from Masaryk University in Brno, Czech Republic. Her research interests focused on authentication for both end-users and IT professionals in the field of usable security, often in collaboration with commercial companies. She pursued her Ph.D. at the Centre for Research on Cryptography and Security. Currently, she works as a Cybersecurity Consultant with a focus on Security Operations Center at PwC.
Vashek Matyáš
Václav (Vashek) Matyáš is a professor at Masaryk University in Brno, where he holds the position of Vice Dean for Industrial and Alumni Relations at the Faculty of Informatics. His research interests are related to applied cryptography and security; he has published well over 150 peer-reviewed papers and articles and has co-authored several books. He worked in the past with Red Hat Czech, CyLab at Carnegie Mellon University, as a Fulbright-Masaryk Visiting Scholar at the Center for Research on Computation and Society of Harvard University, Microsoft Research Cambridge, University College Dublin, Ubilab at UBS AG, and as a Royal Society Postdoctoral Fellow with the Cambridge University Computer Lab. Vashek also worked on the Common Criteria and in ISO/IEC JTC1 SC27.