Are Fingerprint ‘Passwords’ As Safe As They Sound?

The big buzzword in payments security today is biometrics — specifically, the chatter around using fingerprints as passwords, as many mobile applications enable today.

And with consumers now accustomed to using their fingerprint as their “password” to get into their phone over typing in a four- or six-digit number, it seems fingerprints are here to stay as the norm for mobile security. But are they as safe as they are pitched?

Well, according to Jason Chaikin, president of New York City-based Vkansee, a company that develops fingerprint-based security systems, fingerprints can be “spoofed” as easily as a traditional numerical password. Speaking at Mobile World Congress, as cited in The Wall Street Journal, Chaikin explained how an iPhone fingerprint sensor can be hacked in as little as 10 minutes.

The good news, of course, is that it isn’t easy for everyone. And there isn’t a foolproof way to hack the phones, but it is possible. He demonstrated this with a fingerprint mold that was used to hack an iPhone. It eventually worked after a few times, the report said.

In response to a question about the hack, a U.K.-based spokesman for Apple told WSJ that its fingerprint security “creates a mathematical representation of your fingerprint to provide an accurate match and a very high level of security.” Samsung denied to comment on the subject.

There are others who say fingerprints can be lifted to later hack into the phones. Research from Michigan State University showed it was possible to print a fingerprint using special ink to unlock a phone. A Samsung Galaxy S7 was used for the experiment.

“This is, obviously, very dangerous — potentially, for the user,” Bo Pi, CTO at Goodix Technology Inc., told WSJ.

What Goodix suggested as a potential fix is adding extra security layers into the fingerprint systems on the market today. This includes the ability to add a sensor to measure if the fingerprint is from a real person or not. A camera that’s added to the fingerprint sensor would also be useful, he said.

Another expert also pointed to the other problem of fingerprint security: What happens when hackers get smarter?

“One of the major pros of a password is how easy it is to reset,” James Lyne, global head of security research at consultancy Sophos, told WSJ. “Once you’ve lost a fingerprint, changing these can be extremely difficult.”

Even an executive from Visa talked about the difficulties of relying on fingerprint technology, which he said is about balancing convenience and security.

Sam Shrauger, Visa senior VP of digital solutions, told WSJ that Visa is involved with plans to make biometric mobile payments better and more secure. That could be, for example, using a consumer’s iris as a way to verify an identity. He suggested using multiple biometric authentication techniques — on top of a password — for the best password.