| HN Mirror

Y	Hacker News new \| ask \| show \| jobs


	by gorbypark 883 days ago
	We don't know what kind of sensors was used to test this in the article, but there are two main types of fingerprint sensors, optical and capacitive. Optical is just a camera, basically. Capacitive actually measures the variation in electric conductivity caused by the ridges of the fingerprint and can build a unique ID from that. I think the "make a cast of the finger in an electrically conductive material that is more or less within the variation of resistance of an average human finger" method would work with these, too. There are more advanced sensors that are based on capacitive touch, but have anti-cheating measures, such as making sure you have a heart beat and whatnot (think of how pulse ox meters that clip onto your finger work). I am not sure if any phone's use the more advanced types, though. I think all of them would be defeatable by a motivated attacker, even "at scale". I imagine you could create a "skeleton" of a thumb that would defeat a heart rate based verification method, and then a 3d printed fingerprint cast in a conductive material could be slipped over it, etc. I think FaceID would be more secure based on the fact that it would be hard to fake an entire face at scale (faceID does a bunch of verification type stuff too to make sure you are not just pointing the sensor at a dummy that looks like a person). At the end of the day though, if an attacker has a sufficiently high res scan of your finger or face, and enough time/money/will, any type of biometrics could be bypassed.

1 comments

eesmith 883 days ago

The list of devices is on page 21 (of 33) in the presentation at https://web.archive.org/web/20030315060403/https://www.itu.i... . Seven were optical, four capacitive.

I understand a sufficiently capable attacker may be able to bypass fingerprints.

My question is does the gummy bear method (or really, the gelatin method), still work against most modern fingerprint readers?

Even the 2003 research pointed out, at https://totseans.com/totse/en/bad_ideas/locks_and_security/1... , "If "live and well" detectors can clearly distinguish their moisture, electric resistance, transparency or bubble content (i.e., bubble rich material or not) between live fingers and gummy fingers, fingerprint systems can reject gummy fingers. Also, detection of compliance would be helpful for preventing gummy fingers. Furthermore, some of measures which have been proposed in patent literature may be useful in preventing gummy fingers."

Have those methods been widely integrated to make that 20+ year old method no longer viable?