How forgery-proof are fingerprints?

21 November 2024

If you want to biometrically unlock your smartphone, you either hold the camera lens up to your face or place your finger on the home button. But what makes fingerprints so distinctive, how do fingerprint scanners work, and how reliably can real fingerprints be distinguished from fake ones? Our checklist clarifies the most important questions.

That there was something special about our fingerprints was already known to our distant ancestors. As early as the Bronze Age, people would immortalise their fingerprints in clay. In ancient China, they were first used to sign passports, promissory notes or other documents as early as the 7th century. At the end of the 19th century, researchers and criminologists discovered that fingerprints could be used to definitively identify people and thus also to convict criminals. The foundation for a method of comparing fingerprints was finally laid by English naturalist Francis Galton in 1892, who coined the term dactyloscopy, thereby ushering in a new era in the fight against crime. “This makes fingerprints the human biometric feature that has been studied the longest and the most thoroughly,” says Boris Michael Leidner, Team Leader for IT Compliance and biometrics expert at TÜVIT.

No two people have ever been identified as having the same fingerprint. Identical twins cannot be distinguished by DNA analysis, but they can be easily told apart by their fingerprints. The decisive factors are the differences in the tiny details – the fine endings and branches of the friction ridges, i.e. the lines that form the loops, whorls and arches on our fingertips. “Alongside genetics, environmental influences play a role in the embryonic development of the fingerprint, leading to different results even in identical twins,” explains Mr. Leidner.

For the system to recognise your fingerprint, it first has to get to know it: The fingerprint is read into the system. When you place your finger on the button again later, the stored print will serve as a reference for the comparison. If the system reports a match, the smartphone will unlock.

“They are not and never can be,” Mr. Leidner replies. Here’s why: Unlike other authentication methods such as passwords, fingerprint scanning doesn’t just offer right or wrong as an answer. “The analogue print has to be transferred to the digital world, which inevitably results in error rates,” explains the expert. But the problem here is that it is simply impossible to place your finger at exactly the same angle as you did when the print was first read into the system. To ensure that they don’t constantly mistakenly reject users, the detection algorithms can’t be too strict. But nor can they be too generous. This is because the probability of false acceptances – the admission by the system of unauthorised persons with similar fingerprints – would then increase. “Biometric systems must therefore find a balance between practicality and security, which can vary depending on the intended use,” says Mr. Leidner.

The fingerprints for ID cards are stored exclusively on the ID cards themselves – encrypted on a security chip. Even on a smartphone, a fingerprint is usually only stored locally on a security chip, meaning that the device manufacturers have no access to it. It is not an image of the fingerprint that is stored, but a mathematical model of its features, which is then used for comparison during the scan. "From this template, it might be possible to reconstruct a part, but not the complete fingerprint,” explains Mr. Leidner. But the most important thing to note is that, as would be the case with a fingerprint on an ID card, hackers would first have to get their hands on the smartphone in question. And even if they were to succeed with colossal technical effort in reading the template, as it is usually encrypted the cybercriminals would still not be able to misuse the data to create a fake fingerprint.

It is extremely unlikely that the digital equivalent of a fingerprint will be stolen. In the analogue world, the situation is different: After all, we leave our prints everywhere. “Cybercriminals can lift them to create a false print,” Mr. Leidner points out. Biometric systems for government use – to capture fingerprints for ID cards, for example – must therefore be tested by independent testing institutes such as TÜVIT to determine whether they can reliably withstand various attacks using fake finger ends. There are no such mandatory tests for smartphones or other consumer electronics, Mr. Leidner adds. "But of course, manufacturers have a vested interest in ensuring that their devices comply with certain standards, so they have also gradually improved the security of their systems over the years,” says the expert.

Optical sensors, which are installed in various entry-level and mid-range smartphones, create a two-dimensional image of the fingerprint and can therefore also be fooled by an image. Other smartphones rely on capacitive sensors that measure the resistance of the object placed on the phone and can thus in principle distinguish skin from a silicone finger. “However, such systems can also be outsmarted, for example by mixing a conductive material such as graphite into the fake fingertip,” says Mr. Leidner. In high-end devices, expensive but very secure ultrasonic sensors are now increasingly being used. “These can be used to look into your finger, as it were, and to make individual layers of skin and even sweat glands visible. These deep structures of the finger are of course much more difficult for attackers to simulate," the expert says.

Many systems now also use AI to detect possible deviations from real fingerprints: “Many attacks can already be fended off in this way,” says Mr. Leidner. Basically, you usually have a maximum of five attempts to unlock a phone before a password has to be entered. "Such measures are intended to demotivate attackers and also do this really well,” says the expert. After all, if you only have a handful of attempts to outwit a system even with an elaborately stolen and forged fingerprint, the cost-benefit calculation will quickly no longer make it worth doing for the cybercriminals.