MasterPrint

Exploring the Vulnerability of Partial Fingerprint-Based Authentication Systems

Aditi Roy, Nasir Memon, Arun Ross

Research output: Contribution to journalArticle

Abstract

This paper investigates the security of partial fingerprint-based authentication systems, especially when multiple fingerprints of a user are enrolled. A number of consumer electronic devices, such as smartphones, are beginning to incorporate fingerprint sensors for user authentication. The sensors embedded in these devices are generally small and the resulting images are, therefore, limited in size. To compensate for the limited size, these devices often acquire multiple partial impressions of a single finger during enrollment to ensure that at least one of them will successfully match with the image obtained from the user during authentication. Furthermore, in some cases, the user is allowed to enroll multiple fingers, and the impressions pertaining to multiple partial fingers are associated with the same identity (i.e., one user). A user is said to be successfully authenticated if the partial fingerprint obtained during authentication matches any one of the stored templates. This paper investigates the possibility of generating a 'MasterPrint,' a synthetic or real partial fingerprint that serendipitously matches one or more of the stored templates for a significant number of users. Our preliminary results on an optical fingerprint data set and a capacitive fingerprint data set indicate that it is indeed possible to locate or generate partial fingerprints that can be used to impersonate a large number of users. In this regard, we expose a potential vulnerability of partial fingerprint-based authentication systems, especially when multiple impressions are enrolled per finger.

Original languageEnglish (US)
Article number7893784
Pages (from-to)2013-2025
Number of pages13
JournalIEEE Transactions on Information Forensics and Security
Volume12
Issue number9
DOIs
StatePublished - Sep 1 2017

Fingerprint

Authentication
Consumer electronics
Smartphones
Sensors

Keywords

  • Authentication
  • biometrics
  • computer security
  • dictionary attack
  • fingerprint recognition
  • hill climbing
  • mobile applications
  • mobile device authentication
  • partial fingerprint

ASJC Scopus subject areas

  • Safety, Risk, Reliability and Quality
  • Computer Networks and Communications

Cite this

MasterPrint : Exploring the Vulnerability of Partial Fingerprint-Based Authentication Systems. / Roy, Aditi; Memon, Nasir; Ross, Arun.

In: IEEE Transactions on Information Forensics and Security, Vol. 12, No. 9, 7893784, 01.09.2017, p. 2013-2025.

Research output: Contribution to journalArticle

@article{aa7c83cdd2f04e348b994648eee3ae95,
title = "MasterPrint: Exploring the Vulnerability of Partial Fingerprint-Based Authentication Systems",
abstract = "This paper investigates the security of partial fingerprint-based authentication systems, especially when multiple fingerprints of a user are enrolled. A number of consumer electronic devices, such as smartphones, are beginning to incorporate fingerprint sensors for user authentication. The sensors embedded in these devices are generally small and the resulting images are, therefore, limited in size. To compensate for the limited size, these devices often acquire multiple partial impressions of a single finger during enrollment to ensure that at least one of them will successfully match with the image obtained from the user during authentication. Furthermore, in some cases, the user is allowed to enroll multiple fingers, and the impressions pertaining to multiple partial fingers are associated with the same identity (i.e., one user). A user is said to be successfully authenticated if the partial fingerprint obtained during authentication matches any one of the stored templates. This paper investigates the possibility of generating a 'MasterPrint,' a synthetic or real partial fingerprint that serendipitously matches one or more of the stored templates for a significant number of users. Our preliminary results on an optical fingerprint data set and a capacitive fingerprint data set indicate that it is indeed possible to locate or generate partial fingerprints that can be used to impersonate a large number of users. In this regard, we expose a potential vulnerability of partial fingerprint-based authentication systems, especially when multiple impressions are enrolled per finger.",
keywords = "Authentication, biometrics, computer security, dictionary attack, fingerprint recognition, hill climbing, mobile applications, mobile device authentication, partial fingerprint",
author = "Aditi Roy and Nasir Memon and Arun Ross",
year = "2017",
month = "9",
day = "1",
doi = "10.1109/TIFS.2017.2691658",
language = "English (US)",
volume = "12",
pages = "2013--2025",
journal = "IEEE Transactions on Information Forensics and Security",
issn = "1556-6013",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
number = "9",

}

TY - JOUR

T1 - MasterPrint

T2 - Exploring the Vulnerability of Partial Fingerprint-Based Authentication Systems

AU - Roy, Aditi

AU - Memon, Nasir

AU - Ross, Arun

PY - 2017/9/1

Y1 - 2017/9/1

N2 - This paper investigates the security of partial fingerprint-based authentication systems, especially when multiple fingerprints of a user are enrolled. A number of consumer electronic devices, such as smartphones, are beginning to incorporate fingerprint sensors for user authentication. The sensors embedded in these devices are generally small and the resulting images are, therefore, limited in size. To compensate for the limited size, these devices often acquire multiple partial impressions of a single finger during enrollment to ensure that at least one of them will successfully match with the image obtained from the user during authentication. Furthermore, in some cases, the user is allowed to enroll multiple fingers, and the impressions pertaining to multiple partial fingers are associated with the same identity (i.e., one user). A user is said to be successfully authenticated if the partial fingerprint obtained during authentication matches any one of the stored templates. This paper investigates the possibility of generating a 'MasterPrint,' a synthetic or real partial fingerprint that serendipitously matches one or more of the stored templates for a significant number of users. Our preliminary results on an optical fingerprint data set and a capacitive fingerprint data set indicate that it is indeed possible to locate or generate partial fingerprints that can be used to impersonate a large number of users. In this regard, we expose a potential vulnerability of partial fingerprint-based authentication systems, especially when multiple impressions are enrolled per finger.

AB - This paper investigates the security of partial fingerprint-based authentication systems, especially when multiple fingerprints of a user are enrolled. A number of consumer electronic devices, such as smartphones, are beginning to incorporate fingerprint sensors for user authentication. The sensors embedded in these devices are generally small and the resulting images are, therefore, limited in size. To compensate for the limited size, these devices often acquire multiple partial impressions of a single finger during enrollment to ensure that at least one of them will successfully match with the image obtained from the user during authentication. Furthermore, in some cases, the user is allowed to enroll multiple fingers, and the impressions pertaining to multiple partial fingers are associated with the same identity (i.e., one user). A user is said to be successfully authenticated if the partial fingerprint obtained during authentication matches any one of the stored templates. This paper investigates the possibility of generating a 'MasterPrint,' a synthetic or real partial fingerprint that serendipitously matches one or more of the stored templates for a significant number of users. Our preliminary results on an optical fingerprint data set and a capacitive fingerprint data set indicate that it is indeed possible to locate or generate partial fingerprints that can be used to impersonate a large number of users. In this regard, we expose a potential vulnerability of partial fingerprint-based authentication systems, especially when multiple impressions are enrolled per finger.

KW - Authentication

KW - biometrics

KW - computer security

KW - dictionary attack

KW - fingerprint recognition

KW - hill climbing

KW - mobile applications

KW - mobile device authentication

KW - partial fingerprint

UR - http://www.scopus.com/inward/record.url?scp=85028326293&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85028326293&partnerID=8YFLogxK

U2 - 10.1109/TIFS.2017.2691658

DO - 10.1109/TIFS.2017.2691658

M3 - Article

VL - 12

SP - 2013

EP - 2025

JO - IEEE Transactions on Information Forensics and Security

JF - IEEE Transactions on Information Forensics and Security

SN - 1556-6013

IS - 9

M1 - 7893784

ER -