Fingerprint sensors have sought to replace password- and PIN-based authentication for years. The sensors are widely found in laptops, sometimes in payment terminals, and recently in several smartphones. The latest entrance to the field is Apple’s iPhone 5s. The sensors continue to fail their marketing claim of secure device unlocking.

Security level.

Using fingerprints as credentials for local user authentication has two shortcomings when compared to passwords:

A. Limited revocation. Once a fingerprint gets stolen, there is no way to change it. To offset this high compromise penalty, fingerprints would need to be very hard to steal. However:

B. Credential spread. Users leave copies of their fingerprints everywhere; including on the devices they protect. Fingerprints are not fit for secure local user authentication as long as spoofs (“fake fingers”) can be produced from these pervasive copies.

Fingerprint spoofs.

Spoofs have been produced time and time again from images of latent prints – even while camping – and most recently by Starbug from the CCC to overcome the protection of an iPhone 5s.

Other current devices with touch and swipe sensors are equally duped by spoofs. This video shows how an iPhone 4s-taken photo results in a fingerprint-spoof that unlocks a Thinkpad laptop, a Fujitsu smartphone, and an iPhone 5s:

ID theft risk.

The iPhone 5s’s fingerprint sensor does not only appear to provide no additional protection, its use even undermines other security mechanisms. This video demonstrates how other flaws in iOS and iCloud are exposed that – when combined with Touch ID’s vulnerability to fingerprint spoofing – allow for online identity theft:

Remote authentication.

Fingerprint sensors still have a strong protection proposition: To provide a second (and third) authentication factor in remotely-executed transactions, such as authorizing money transfers. Modern fingerprint sensors can compare templates and scans on-chip – that is: protected from malware on the device – and conduct a strong cryptographic authentication to a web service. Industry seems to be determined to standardize such transactions.

An attacker would need to get access to three credentials: the banking password, the fingerprint sensor that stores an authentication certificate, and a spoof of the fingerprint that activates this certificate. For the most common miscreant, remote attackers, the latter two should be out of reach.

Evolution path.

Defeating local attackers is still of value even when the fingerprint only provides an additional authentication factor.

The iPhone 5s already moved slightly beyond the capabilities of earlier touch sensors: It provides a higher resolution image and – as far as initial experiments can tell – uses this higher resolution to match based on finer structures:

Low resolution fingerprint image, sufficient to create spoofs for older sensors

High resolution fingerprint image with clear features along the ridges, which newer sensors detect

Even these finer structures can be spoofed, for example based on an equally high resolution smartphone camera image, showing that some defense strategies only improve at the pace of the corresponding attack technique.

Fingerprint spoof prevention would better be based on intrinsic errors in the spoof-creation process or on fingerprint features not present in latent prints (and become much harder to steal). Examples of such spoof-detection features are air bubbles contained in the glue often used for spoofs (white dots in left image) and minute details that are visible through a fingerprint sensor but not in a latent print (black dots in right image).

Sensor read of spoof finger with white air bubbles, but fewer minute details

Sensor read of real finger with minute details but no air bubbles

Even by just comparing the density of white vs. black dots, sensors would challenge hackers to improve their spoofing techniques. The iPhone 5s, on the other hand, was defeated by techniques widely published years ago.