Investigating and Addressing Vulnerabilities in Fingerprint-based Authentication Systems
A number of consumer electronic devices, such as smartphones, are beginning to incorporate fingerprint sensors for user authentication. The sensors embedded in these devices are generally small and the resulting images are, therefore, limited in size. To compensate for the limited size, these devices often acquire multiple partial impressions of a single finger during enrollment to ensure that at least one of them will successfully match with the image obtained from the user during authentication. Further, the user is allowed to enroll multiple fingers, and the impressions pertaining to multiple partial fingers are associated with the same identity (i.e., one user). Thus, a user is successfully authenticated if the partial fingerprint obtained during authentication matches any one of the stored templates.
This project investigates the security of partial fingerprint-based authentication systems, especially when multiple fingerprints of a user are enrolled. Specifically, it investigates the possibility of generating a “MasterPrint”, a synthetic or real partial fingerprint that serendipitously matches one or more of the stored templates for a significant number of users. Our preliminary results on an optical fingerprint dataset and a capacitive fingerprint dataset indicate that it is indeed possible to locate or generate partial fingerprints that can be used to impersonate a large number of users. In this regard, we expose a potential vulnerability of partial fingerprint-based authentication systems, especially when multiple impressions are enrolled per finger.
A partial fingerprint dataset created from the FVC2002 DB1-A dataset can be downloaded here.