Fingerprint scanners are fast becoming a standard feature, trickling from the high-end to lower-tier phones. Soon enough, they will be on most phones because they bring a convenient form of security that is much more convenient than a password (and long password!) and much more secure than a 4-digit PIN code. Let’s see how they work.
Definition: Fingerprint scanners are digital input devices that read a (human) fingerprint and output a 2D/3D image dataset that a fingerprint matching software can exploit. Although the base principle is simple, making fingerprint reader reliable, secure, small, fast and affordable is not.
Capacitive fingerprint scanners
Capacitive fingerprint scanners are the type mostly used in smartphones. They work according to the principle that if the distance is short enough, it’s possible to transfer electricity from a capacitor and the skin.
At the scale of such capacitors, fingerprint ridges are like hills and valleys. Ridges will seem closer to the capacitor, and more electricity will flow away. If you have an array or a grid of capacitors (the more, the higher the resolution), they can act like pixels with varying gray-level intensity (higher electricity flow, darker pixel), thus forming a 2D fingerprint image.
It’s simple, very robust and only works with skin. You can’t fool it with a piece of paper, and if you try to make a mold of a real fingerprint, you need to find a material that has the same conductivity as skin. Not impossible, but inconvenient enough to weed out most perps.
The downside of capacitive fingerprint readers is that they can’t work if the finger isn’t clean, or has water/sweat on it because that changes the conductivity upon which the system is built. Also, they don’t work behind metal. That’s why there’s always a visible fingerprint reader.
Ultrasonic fingerprint readers
These sensors are new, and could be the future if they perform as intended. The principle is 3D instead of 2D. Using ultrasound, the sensor can map the 3D ridges and valley that form the fingerprint.
It can also pick up on individual skin pores according to Qualcomm, the first OEM that came up with a working design called Qualcomm Sense ID. In some ways, it’s similar to 3D echography used to see babies in their mothers’ womb but on a smaller scale.
The advantage is that this is potentially much more accurate (in resolution) than a capacitive fingerprint reader, the distance between the fingerprint and the sensor can be higher, and it works behind metal/glass. This means that the fingerprint sensor does not need to be visible and can be hidden behind the phone’s chassis, or possibly under the display. We’ll have to see.
The first phone to use this technology was the LeEco/LETV Max Pro, and we played with it at CES 2016.
Optical Fingerprint Readers
Optical fingerprint readers are older, and they use the simplest technology. A light shines the fingerprint from the side to reveal the ridges and valleys of the fingerprint for an optical sensor to read. This is reliable simple and affordable to build on large surfaces (to print several fingers or a whole palm).
The downside is that it requires a larger volume to accommodate the light, and it’s not very secure because a printed image, a prosthetic, or a molded fingerprint could lead to a match: they are the easiest to fool because they are essentially like Photocopiers.
Interestingly enough, Vkansee presented an optical fingerprint scanner for phones in 2015. They claim an incredible 2000 DPI resolution, which is vastly superior to other technologies. To know more, watch the Youtube video from ARMdevices.net, or read more details on Tomshardware.
Static vs. Swipe Fingerprint Scanners
Most new fingerprint sensors are “static” sensors, which means that you put your finger on a round or square sensor (which is a 2D array of sensors, like a pixel grid), and don’t have to move it. The advantage of a static sensor is that it is more accurate. The inconvenience is that the cost is higher when compared to a swipe sensor.
A swipe sensor is the equivalent of a 1D array of sensors, as one line of pixels. It is less expensive to produce but requires that the user moves the finger at a steady pace to scan a 2D image of the fingerprint. This is more prone to deformations (change in swiping speed), so it is less accurate than a static scanner.
Other fingerprint scanners not used for consumer electronics
Thermal fingerprint scanners work in a similar fashion to the capacitive fingerprint reader, except that instead of measuring an electric flow, they measure temperature variations. The ridges of the print do create more heat than the valleys (yes, it’s THAT sensitive), and that’s who they can create a 2D image for analysis. And yes, it needs to be a warm body.
Pressure fingerprint scanners capture the difference in pressure caused by the ridges and valleys of the print. Again, we are talking about minute differences, so this is extremely sensitive. The downside is that any layer that you put on top of the sensor (glass…) will affect the sensitivity. But if you don’t put anything, the sensor could be more exposed to shocks and scratches.
Radio Frequency (RF) fingerprint sensors have tiny antennas for each pixel of the final 2D image. They can go beyond skin-depth and read slightly underneath the skin (like a limited echography), which provides more data and can work around small skin damage. The iPhone 5S scanner was said to be based on both RF and Capacitive technologies.
It scanned my fingerprint, then what?
As we said previously, the output of fingerprint sensors is a 2D gray-scale image of a fingerprint, which is then ready for analysis. The image is stored locally, preferably in a secure area of the phone, and in an encrypted form.
Some OEMs use ARM’s Trustzone technology to keep the fingerprint scan away from even the Operating System so that 3rd party apps (not from the device maker itself) can’t read it.
In theory, the image should never leave the device’s secure zone, and should never be transmitted to any server. Instead, the fingerprint image will be analyzed and distilled into a unique-enough histogram, a checksum or another pattern unique to that particular security system to be used for a match. Even if that computed pattern is intercepted by hackers, it’s impossible to reverse-engineer the original fingerprint image from it.
Fingerprint security concerns
Fingerprints can be seen as added security or added convenience, often both. At the end of the day, your systems are often accessible by a password in case the fingerprint reader doesn’t work, so you must not neglect the basic security of having a strong password and two-factor authentication.
Keep in mind that fingerprints can be, and have been hacked in the past. It’s even possible to “lift” a print using a high-quality photo in a public space. The main issue is that while you can change your password, you can’t change your print. In general, these breaches are extreme cases, and as long as you treat fingerprints as “one more layer” and not “THE solution” to your security concerns, you should be fine.