First, a direct quote from the researchers located here:
“The results show fingerprints are good enough to protect the average person’s privacy if they lose their phone. However, a person that is likely to be targeted by a well-funded and motivated actor should not use fingerprint authentication.”
The above paragraph is an understatement! The hack requires physical access to the phone for a considerable length of time and it took the researchers several days to build the fingerprint models, each of which is constructed specifically for the type of sensor used in the phone. And this is before they get a good fingerprint from the owner.
One additional fact, the research team discovered that the two USB-encrypted pen drives they tested were impervious to this attack. So if you are protecting millions of dollars or state secrets, use a dongle!
For normal people with 401Ks, a new mobile phone biometric will certainly suffice and Mercator urges financial institutions to start incorporating biometrics and smartphones into their risk enabled authentication plans starting now, as we stated in the past and will state again in our new report to be released soon. Here are a few of the uninformed headlines:
Researchers easily dupe biometric scanners with fake fingerprints
Researchers fool devices’ biometric scanners with replicated fingerprints
3-D printers help override biometric security measures
Fingerprint biometrics for mobile devices perform badly in tests
‘Fake Fingerprints’ Bypass Scanners with 3D Printing
Cisco researchers fool Samsung, Apple fingerprint sensors using a 3D printer
Overview provided by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group.