Biometric means of authentication, especially fingerprints, have for long been considered highly secure because of their uniqueness. And despite some established research on spoofing fingerprints, the idea has been far from achievable for scamsters and other criminals.
If you go by the economics of the game, the cost of collecting unique and fairly accurate fingerprints of each prospective victim, and then forging them onto a medium or faux finger is likely to be higher than what these criminals could steal. One exception, however, may be influential personalities – but most of us might pragmatically escape the chance of having both – our fingerprints and our data (and/or money) – stolen.
A threat to this condition is a new AI called DeepMasterPrints, which has over time, learned how to produce a single “master” fingerprint that can easily trick any fingerprint scanner. The obvious analogy, which Vice Media’s Motherboard also summons, is that of a master key which can unlock most, if not all, of the locks.
This AI is made up of two GANs or generative adversarial networks. In a GAN, two neural networks which improve accuracy by working in harmony, with one acting as a “generator” which produces a unique dataset – 2D image of a fingerprint in this case – while the other works as a “discriminator” and tests the produced results. The result is verified and changed slightly by the generator every time the discriminator rejects it. As a result, the process is repeated thousands or even millions of times until the perfect solution is found.
Researchers from the New York University and the University of Michigan, together, have used a GAN to create a set of master prints. These neural networks were trained using “rolled” fingerprints etched on pieces of paper after being scanned as well as using data from smartphones.
What is most concerning is the fact that fingerprint readers on smartphones capture the impressions only partially, which gives the “sneaky AI” an edge over the docile scanners on phones. The researchers were able to fool systems of three different levels of security with success rates of 76% (for the lowest security), 22% (for medium security) and 1.2% (for highest security).
These levels of security are designed as:
- Highest – will unlock incorrectly using the wrong fingerprint once in ten thousand times
- Medium – once in a thousand times
- Lowest – once in a hundred times
This means that if 1,000 people use a smartphone with the most secure fingerprint scanner (with the highest security level), 12 people could be duped using the master fingerprint. Imagine what happens to people using cheaper smartphones.
While this does not elicit an instant response from the industry or permanent banishment of the beloved and prized fingerprint scanner, researchers might have to look for ways to either make fingerprint scanner more secure or hunt for other mechanisms.
Meanwhile, the paper does not call out facial authentication on smartphones as is the case with iPhones, we are not very sure that Apple’s Face ID is unspoofable. So, what do you think will be the future of biometric unlocking?