Checklist
How forgery-proof are fingerprints?
The unique biometric feature – and how reliable it is.
Checklist
The unique biometric feature – and how reliable it is.
21 November 2024
Anyone who wants to unlock their smartphone biometrically simply holds their face in front of the camera or places a finger on the scanner. But what exactly makes fingerprints so unique? How do fingerprint scanners work, and how reliably can they distinguish real from fake fingertips? Our checklist answers the most important questions.
When did humanity first discover fingerprints?
The uniqueness of fingerprints was recognized by our ancestors long ago. As early as the Bronze Age, people left their fingerprints in clay. In ancient China, fingerprints were used as signatures for passports, promissory notes, and other documents as early as the 7th century. By the late 19th century, researchers and criminologists discovered that fingerprints could be used to identify individuals with absolute certainty, making them invaluable for solving crimes. The English naturalist Francis Galton laid the foundation for fingerprint comparison methods by 1892, ushering in a new era of crime investigation with a technique known as dactyloscopy. "Fingerprints are the longest and most thoroughly studied biometric characteristic of humans," says Boris Michael Leidner, Head of IT Compliance and Biometrics Expert at TÜVIT.
Are fingerprints truly unique?
No two people have ever been found to share the same fingerprint. Even identical twins, who cannot be distinguished through DNA analysis, have distinct fingerprints. The key lies in the subtle details—known as minutiae—the fine endings and branches of the ridges on our fingertips. "During embryonic development, both genetic and environmental factors shape fingerprint patterns, leading to differences even between identical twins," explains Leidner.
How do fingerprint scanners work?
Before a system can recognize a fingerprint, it first needs to learn it. The fingerprint is scanned and stored in the system. When the finger is later placed on the scanner again, the stored print serves as a reference for comparison. If the system detects a match, the smartphone is unlocked.
Are They Truly 100% Reliable?
“They are not and never can be,” responds Leidner. The more detailed explanation: Unlike other authentication methods, such as passwords, fingerprint scanning is not simply a matter of right or wrong. “Since the analog fingerprint must be transferred into the digital world, error rates inevitably occur,” explains the expert. The problem: It is virtually impossible to place your finger in exactly the same position every time you unlock a device. To avoid falsely rejecting users too often, recognition algorithms cannot be too strict. However, they must not be too lenient either, as this increases the likelihood of false acceptances—cases where unauthorized individuals with similar fingerprints gain access. “Biometric systems must find a balance between practicality and security, which varies depending on the application,” says Leidner.
How Are Fingerprints Stored?
Fingerprints for national ID cards are stored exclusively on the card itself—encrypted on a secure chip. Similarly, on smartphones, fingerprints are typically stored locally on a security chip, ensuring that manufacturers do not have access to them. Rather than saving an image of the fingerprint, the system stores a mathematical model of its features, which is used for comparison during scanning. “While part of the fingerprint could theoretically be reconstructed from this so-called template, the complete fingerprint cannot,” explains Leidner. More importantly, just like fingerprints on ID cards, hackers would first need to gain physical access to the smartphone. Even if they managed to extract the template with significant technical effort, the data is usually encrypted, making it nearly impossible for cybercriminals to create a fake fingerprint from it.
Can Our Fingerprints Be Stolen?
The theft of the digital version of a fingerprint is extremely unlikely. The situation is different in the physical world, as we leave our fingerprints everywhere. “Cybercriminals can collect them to create a fake fingerprint,” warns Leidner. Biometric systems used for government purposes—such as fingerprint registration for ID cards—must be tested by independent certification bodies like TÜVIT to ensure they can reliably withstand attacks involving fake fingerprints. However, there are no mandatory security evaluations for smartphones or other consumer electronics. “That said, manufacturers have a vested interest in maintaining high security standards, and over the years, they have continuously improved their systems,” the expert adds.
How Secure Are Different Types of Sensors?
Optical sensors, commonly found in entry-level and mid-range smartphones, capture a two-dimensional image of the fingerprint, meaning they could theoretically be fooled by a high-quality image. Some smartphones use capacitive sensors, which measure the electrical resistance of the scanned object and can distinguish real skin from a silicone fingerprint. “However, these can still be tricked by incorporating conductive materials like graphite into a fake fingerprint,” says Leidner. High-end devices are increasingly using ultrasonic sensors, which are expensive but highly secure. “These sensors essentially ‘look inside’ the finger, detecting skin layers and even sweat glands—details that are extremely difficult for attackers to replicate,” the expert explains.
What Other Measures Protect Fingerprint Scanners from Forgery?
Many systems now incorporate AI to detect subtle deviations from a real fingerprint. “This helps prevent many attacks,” Leidner says. Additionally, most devices limit fingerprint authentication attempts to five tries before requiring a password. “Such measures discourage attackers and have proven very effective,” the expert adds. Since cybercriminals only get a handful of attempts to use a stolen or fake fingerprint, the cost-benefit calculation quickly turns against them.
While fingerprint authentication is not foolproof, it has significantly contributed to the security of personal devices. “Because biometrics are much more convenient than passwords, they have encouraged many users to secure their smartphones in the first place,” says Leidner. However, since fingerprints can theoretically be forged, they should not be the sole method for securing critical access points like home entry systems. For sensitive applications, it is advisable to combine fingerprints with another authentication factor. “For online banking, for example, users should log in on a PC using a username and password, while transaction approvals can be verified via fingerprint on a smartphone. This combination of different factors enhances security,” Leidner recommends.
This is an article from #explore. #explore is a digital journey of discovery into a world that is rapidly changing. Increasing connectivity, innovative technologies, and all-encompassing digitalization are creating new things and turning the familiar upside down. However, this also brings dangers and risks: #explore shows a safe path through the connected world.