With the launch of the iPhone 5S last year, and the brand new Samsung Galaxy S5 hitting stores this month, fingerprint scanners on smartphones have finally hit the big time. Samsung, especially, is pushing taking the technology by extending it beyond its own ecosystem and making it available to third parties, like how PayPal uses the scanner to authenticate transactions through its mobile app. Despite all the potential, there’s a possible downside to what Samsung’s doing here, as security researchers raise the alarm about a combination of factors threatening to make the GS5’s scanner implementation a lot less secure than it might otherwise be.
For one, the GS5’s scanner is easily fooled by fake prints. As you can see in the video below, a simple mold made from a picture of a fingerprint left on a smartphone’s screen is sufficient to produce a forgery capable of passing the scanner’s tests. This vulnerability is hardly exclusive to the GS5, but it sets the stage for the software problems that really compound its impact.
The next problem is how trusting the GS5 is of a successful fingerprint scan. While the iPhone 5S would also prompt users for a password at least once, the GS5 doesn’t rely on secondary authentication like that. As a result, once someone lifts your print, your phone is fully compromised.
Finally, the researchers here take issue with how forgiving the GS5’s software is – as well as PayPal’s app – when it comes to failed scans. Almost like Samsung’s expecting the fingerprint scanner to be a little unreliable, it never appears to lock users out after multiple failed attempts. As a result, an attacker can keep on trying to get a copied print to work until it finally does.
On the plus side, at least some of these concerns sound very addressable in software, so maybe Samsung will drop an update that allows for a password + fingerprint two-factor option.