How Secure Is Fingerprint Scanning (TouchID) on Your Smartphone

Are security protocols based on fingerprint scans truly safe? Though they’re not foolproof, they’re better than most alternatives. Find out why.

May 20, 2021 - 2 min.
Picture of: Adrian Straub
Adrian Straub

Our smartphones and mobile devices have literally placed the world at our fingertips. From booking flights to communicating with people all over the globe to international commerce and banking, everything is just a swipe or a click away. And nowadays, thanks to advances in mobile technology and biometrics, our fingertips even keep our devices and app data secure.

How does it work?

When setting up your new device you can choose to add a fingerprint scan. Nowadays, this is commonly accomplished using capacitive touch technology to capture high-resolution images of sections of your finger. These images form a map of your finger with details and variations that are invisible to the human eye. This finger scan never leaves your device. However, every time you want to unlock your mobile phone, access your online bank account, open an app account, etc., your device can compare your fingerprint against the stored fingerprint and then verify if you are authorised to access the information or content you want to access.

Can you outsmart a fingerprint sensor?

The easy answer is: no. However, the real answer is a bit more complex.

Let’s imagine you want to open your online banking app on your mobile device. When you open the app, instead of typing in your username and password, you place your finger on your mobile device’s sensor. At this point, your device scans your finger to determine if it matches the stored fingerprint. There are a number of different scanners available to perform this task: from capacitive scanners, which rely on electric waves, to optical scanners, which rely on a visual image of the fingerprint, to ultrasound scanners, which rely on sound waves.

Perhaps the complexity of tricking a fingerprint sensor is becoming clearer. You still need the fingerprint in order to fool the sensor! But how do you get one?

Though the average person would probably find it difficult to obtain a fingerprint that isn’t their own, it is far from impossible. Cybercriminals have indeed come up with several deceptive methods to bypass fingerprint sensors. For example, if they have access to the finger in question, they can create a mould of it that can then be placed on the sensor. They can also buy illegally acquired fingerprints and then turn these into moulds using a 3-D printer. However, these are tedious, time-consuming, and costly methods. And with many devices now also incorporating liveness detection into fingerprint scanning technology, a fingerprint mould is often not enough to circumvent the scanner.

Does it make sense to rely on fingerprint scans for security?

Fingerprint scanning has one major advantage over traditional security systems. It is passwordless. This provides users an added layer of comfort and convenience since they no longer have to remember and type in long and complicated passwords to access their data. However, it also offers an added level of security for service providers. If users aren’t tempted to choose easy-to-remember passwords or reuse the same password across the board for all platforms, services, and devices, then service providers can avoid the risk of their systems being hacked should passwords be stolen.

And although you can’t eliminate the possibility of fingerprints being faked, you can make your overall security system less hackable by employing two-factor or multi-factor authentication. By requesting added verification and authentication factors –– like the user’s geolocation or single-use PINs –– you can increase the level of certainty that the person attempting to gain access is indeed authorised to do so.

So how secure is fingerprint scanning? It is certainly more secure than most of the alternatives. And using it as one factor in a 2FA and MFA verification system makes it nearly foolproof.