[gorbypark]

I think the real issue would be physical access. With fairly high resolution 3d printers and a copy of your prints, I'm sure a replica of your prints could be created in a matter of minutes. Imagine you are at an airport and customs wants to look at your phone. You refuse to unlock it. Depending on the country, they can compel you to do so. If you refuse to comply, if they have a copy of your prints they could just have a replica printed out. This is why there is usually a way to set your phone into a state where it requires a passcode, which in theory is more legally protected than biometrics (on an iPhone, hold the power button + volume up/down for a second until you get the screen to turn off / make an emergency call. Even if you now hit cancel the phone requires a passcode to unlock).

[CableNinja]

You dont even need anything that advanced. Most biometric scanners can be bypassed with a gummy bear!

https://www.theregister.com/2002/05/16/gummi_bears_defeat_fi...

[gorbypark]

Well to be fair, the article is about a guy etching fingerprints into a photosensitive PCB to essentially create a mould, then using gelatine to cast a fingerprint....seems way more advanced than directly printing out replica finger or at least printing out a mould and casting it more or less like the article mentions with gelatine.

[eesmith]

That was nearly 22 years ago. Does the same attack still work against most modern biometric scanners?

[gorbypark]

We don't know what kind of sensors was used to test this in the article, but there are two main types of fingerprint sensors, optical and capacitive. Optical is just a camera, basically. Capacitive actually measures the variation in electric conductivity caused by the ridges of the fingerprint and can build a unique ID from that. I think the "make a cast of the finger in an electrically conductive material that is more or less within the variation of resistance of an average human finger" method would work with these, too. There are more advanced sensors that are based on capacitive touch, but have anti-cheating measures, such as making sure you have a heart beat and whatnot (think of how pulse ox meters that clip onto your finger work). I am not sure if any phone's use the more advanced types, though. I think all of them would be defeatable by a motivated attacker, even "at scale". I imagine you could create a "skeleton" of a thumb that would defeat a heart rate based verification method, and then a 3d printed fingerprint cast in a conductive material could be slipped over it, etc.

I think FaceID would be more secure based on the fact that it would be hard to fake an entire face at scale (faceID does a bunch of verification type stuff too to make sure you are not just pointing the sensor at a dummy that looks like a person). At the end of the day though, if an attacker has a sufficiently high res scan of your finger or face, and enough time/money/will, any type of biometrics could be bypassed.

[eesmith]

The list of devices is on page 21 (of 33) in the presentation at https://web.archive.org/web/20030315060403/https://www.itu.i... . Seven were optical, four capacitive.

I understand a sufficiently capable attacker may be able to bypass fingerprints.

My question is does the gummy bear method (or really, the gelatin method), still work against most modern fingerprint readers?

Even the 2003 research pointed out, at https://totseans.com/totse/en/bad_ideas/locks_and_security/1... , "If "live and well" detectors can clearly distinguish their moisture, electric resistance, transparency or bubble content (i.e., bubble rich material or not) between live fingers and gummy fingers, fingerprint systems can reject gummy fingers. Also, detection of compliance would be helpful for preventing gummy fingers. Furthermore, some of measures which have been proposed in patent literature may be useful in preventing gummy fingers."

Have those methods been widely integrated to make that 20+ year old method no longer viable?

[superasn]

Well if you have a Google pixel you have nothing to worry as it won't recognise legit fingerprint 9 out of 10 times.