How it works: Fingerprint scanning

By Deanna Zammit

Just 15 years ago, fingerprint scanning was a cinematic trope, the stuff of James Bond and Mission Impossible, meant to telegraph high-level security clearance and even higher stakes intelligence operations. Now, consumers carry the same technology around in their cell phone, using their most personal signature for quick access to a new round of Candy Crush.

Since fingerprint scanning has moved from espionage to everyday entry, we’ve created an explainer that covers the basics of how it works and why its gaining steam.

So, how does it work?

Most phones deploy a capacitive scanning method. Popularized by Apple’s TouchID, capacitive scanners use the same technology found in trackpads or touch screens; they detect a difference in electric charge between the surface our skin touches and the surfaces it does not.

Hardware-wise, phones use embedded, small-area scanners: the small ring at the bottom or back of the device. This area holds dozens of tiny metal strips narrower than the ridges in your fingertips. These strips, or “capacitors,” sense which ridges in your finger are touching the plates and which valleys are not. It then uses those differences in electric charge to compose a two- dimensional image of your fingerprint, which is then hashed into code and stored on your device.

More modern bezel-less phone designs leave little room for capacitive scanners, though, and at least one manufacturer has embraced optical scanning instead. Put simply, optical scanning uses light to take a high-resolution picture of your fingerprint. The ridges from your print block the light, while the space in the valleys reflected that light back to the scanner, forming the image.

This kind of tech has been widely employed by government agencies and law enforcement for years, in the form of SLAP scanners. These pricey pieces of hardware can scan as many as eight fingers at once.

Then, there’s ultrasonic scanning. Last year, Qualcomm released an ultrasonic fingerprint scanner that uses sound waves to map fingerprints. When the reader projects ultrasonic pulses, the finger absorbs some of that pulse and reflects the rest. The reader creates a three-dimensional image of the print by measuring the intensity of these returning pulses.

OK, so I took a picture of my fingerprint. Now what?

Once you scan your fingerprint, the integrated software uses the image to create a template that incorporates as many data points as the security system requires. These data points, called minutia, can include significant landmarks like ridges and whorls, or even smaller features like ridge density, scar tissue, and depth.

“Think of your fingerprint of the United States. Minutiae are measured in relation to one another, like the distance from city to city,” said Charles Hatcher, CEO of Diamond Fortress, a biometric security software provider based in Birmingham, Ala. These templates are then stored in a database. Whenever someone scans their print to gain access to a physical or digital location, the new scan is matched against a template to establish or verify a person’s identity.

In the case of fingerprints that unlock phones, your device matches the new scan to one stored in the phone. Your info never leaves your device.

Can it be fooled?

Sure. Capacitive scanners on phones are particularly vulnerable because instead of taking a read of a complete fingerprint, they scan and store partial prints. In fact, researchers at New York University created a set of “master fingerprints” that could fool the scanner up to 65 percent of the time.

Scanners that read full prints are more difficult to breach. Hatcher, whose company works with optical technology, said full-finger, optical scanning offers the highest level of security because high-resolution images can capture more data-points than other scan technology. The more data stored in a template, the harder it is to spoof the system.

Likewise, Qualcomm claims the depth of its ultrasonic image makes the reader harder to fool. It also says that the way it stores personally identifiable information—hashed fingerprint info in one server, identity info in another—makes its system less vulnerable to hacking.

Still, more than a few puckish video creators have shown that a set of ersatz silicon fingerprints could fool a simple system.

Where is this technology being used?

When it comes to access control, fingerprint scanners are best applied only to highly secure locations, like R&D labs, vaults, and other sensitive areas. For initial access, a key card works fine. Fingerprint scan technology has also been incorporated into some smart gun prototypes, though there doesn’t seem to be much momentum behind the widespread manufacture of them.

SDKs like Diamond Fortress’ allows almost any entity to integrate fingerprint scanning into their security system. Hatcher gave an example of an engineer who wants to gain access to a remote cell phone tower. The worker could simply snap a pic of their finger, verify it digitally and then collect an access code pushed to their phone.

That being said, you’ll most likely see fingerprint scanning gaining more widespread appeal in the financial and payments sectors. USAA introduced fingerprint log-in in 2015, and since then Santander, First National Bank and Bank of America have added the function as a faster and more secure alternative to passwords.

This technology will be especially useful, Hatcher said, in developing economies where countries like Pakistan and India are developing identity databases. Mobile banking apps that use fingerprint technology will be able to verify customer identity with certainty in places where brick and mortar locations are scares, but smartphones are plenty.

Recently, Mastercard is testing a new fingerprint-enabled credit card in South Africa. It’s as thin as a regular credit card and provides a second, more secure method of identification than a PIN number. Let’s just hope cashiers are on the lookout for fake fingertips.

 

Many of the articles within the media pages of the patriot1tech.com website are 3rd party in origin and have been included for informative purposes only. Decisions to include articles are solely based on the timely nature of the storyline as it applies to the security industry in general and to the proliferation of threats to public safety in particular. The inclusion of these articles does not imply that PATRIOT ONE its management, agents or employees endorses any statements expressed. The public is advised to fully investigate any contentious claims or assertions prior to arriving at any conclusions. Any hyperlinks included in these articles does not imply that PATRIOT ONE monitors or endorses these websites. Accordingly, PATRIOT ONE accepts no responsibility for such websites. Additional information regarding exclusions and liability limitations are outlined here.