New research reveals a surprising level of vulnerability in fingerprint-based security systems.
Fingerprint authentication systems are a widely trusted, ubiquitous form of biometric authentication, deployed on billions of smartphones and other devices worldwide. Using a neural network trained to synthesize human fingerprints, however, researchers have evolved a fake fingerprint that could potentially fool a touch-based authentication system for up to one in five people.
Similar to the way that a master key can unlock every door in a building, these “DeepMasterPrints” use artificial intelligence to match a large number of prints stored in fingerprint databases and could thus theoretically unlock a large number of devices.
“…most systems don’t verify whether a fingerprint or other biometric is coming from a real person or a replica…”
The work builds on earlier research that coined the term “MasterPrint” to describe how fingerprint-based systems use partial fingerprints, rather than full ones, to confirm identity. Devices typically allow users to enroll several different finger images, and a match for any saved partial print is enough to confirm identity. Partial fingerprints are less likely to be unique than full prints, and the past work demonstrated that enough similarities exist between partial prints to create MasterPrints capable of matching many stored partials in a database.
Lead author Philip Bontrager, a doctoral student at the Tandon School of Engineering at New York University, and his collaborators took this concept further, training a machine-learning algorithm to generate synthetic fingerprints as MasterPrints.
The researchers created complete images of these synthetic fingerprints, which is important for two reasons. First, it’s yet another step toward assessing the viability of MasterPrints against real devices, which the researchers have yet to test; and second, because these images replicate the quality of fingerprint images stored in fingerprint-accessible systems, they could potentially be used to launch a brute force attack against a secure cache of these images.
“Fingerprint-based authentication is still a strong way to protect a device or a system, but at this point, most systems don’t verify whether a fingerprint or other biometric is coming from a real person or a replica,” says Bontrager. “These experiments demonstrate the need for multi-factor authentication and should be a wake-up call for device manufacturers about the potential for artificial fingerprint attacks.”
This research has applications in fields beyond security. Julian Togelius, an associate professor of computer science and engineering who led the research, notes that the Latent Variable Evolution method researchers used here to generate fingerprints can also be used to make designs in other industries—notably game development. The technique has already been used to generate new levels in popular video games.
The researchers presented the research at the IEEE International Conference of Biometrics: Theory, Applications, and Systems. A National Science Foundation grant supported the work. Additional coauthors are from NYU and Michigan State University.
Source: New York University