As I’ve explained before, fingerprints are not the same as passwords.
- Your passwords can be kept secret. You leave your fingerprints lying around everywhere.
- You should have different passwords for everything you do. You only have ten fingerprints to choose from (if you have the typical allocation of hands).
- If the worst happens, you can always change your passwords. You can’t change your fingerprints. You’re stuck with them for life.
- You can forget your passwords. You always have your fingerprints on you.
- Your fingerprints aren’t easily guessable, as you never have one that’s the name of your favourite football team or something dumb like Fingerprint1.
So relying on fingerprints for your security clearly carries some risks.
The Samsung Galaxy S10 smartphone was released in early March to much fanfare. Among its features, Samsung bragged of “next generation vault-like security” with its ultrasonic fingerprint scanner fused directly into its front screen, that could even work when your hand was wet:
“Using ultrasonic pulses, it detects the 3D ridges and valleys of your fingerprint, so only you can access your phone. It’s secure and convenient — even allowing you to unlock, drag and hold to open the app you want.”
It sure sounds convenient, but “secure”? “Only you can access your phone”? These seem like bold claims…
And that certainly appears to have been the opinion of an Imgur user called “darkshark”, who has posted a video demonstrating how he was able to unlock a Samsung Galaxy S10 with a 3D copy of his fingerprint, captured from a photograph of a print he had left on a wine glass:
It took me 3 reprints trying to get the right ridge height (and I forgot to mirror the fingerprint on the first one) but yeah, 3rd time was the charm. The 3D print will unlock my phone…in some cases just as well as my actual finger does.
This brings up a lot of ethics questions and concerns. There’s nothing stopping me from stealing your fingerprints without you ever knowing, then printing gloves with your fingerprints built into them and going and committing a crime.
If I steal someone’s phone, their fingerprints are already on it. I can do this entire process in less than 3 minutes and remotely start the 3d print so that it’s done by the time I get to it. Most banking apps only require fingerprint authentication so I could have all of your info and spend your money in less than 15 minutes if your phone is secured by fingerprint alone.
Darkshark’s 3D-printed fingerprint wouldn’t have been successful at unlocking the capacitive resistors used in the fingerprint sensors of most mobile phones, including previous versions of the Samsung Galaxy.
If you’re keen to maintain your security and privacy, you might be wise not to rely on fingerprints alone to secure your devices.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.