Like most (if not all) Hackaday readers, I like to know how the technology I use works. I’m always amazed, for example, how many otherwise smart people have no idea how the cellphone network works other than “it’s a radio.” So now that I have two phones with fingerprint scanners on them, I decided I needed to know more about what’s going on in there.
Sure, I assumed the sensor was capacitive (but maybe not, I found out). Plus we all know some super glue, scotch tape, and gummy bears are all you need to fake one out. However, that’s been known for about 15 years and we are still seeing phones and other devices rolling out with the same scanners. So for now, put aside the debate about whether we should be using fingerprint scanners. Let’s talk about how those sensors work.
There are at least three common ways to scan a fingerprint: Take a picture of it, sense it capacitively, or sense it using ultrasound. However you do it, you wind up with an image of the print. Then from that image, you have to work out if it is the right finger or not.
Makes sense that you can take a picture of a fingerprint using a camera-like device. In fact, I’ve seen this used when getting fingerprints made for identification. The recent Samsung Galaxy S8+ uses an optical sensor under the phone’s screen. This was planned, apparently for the Galaxy S8, but was scrapped at the last minute due to technical issues. However, some optical sensors can be easy to fool with a picture of a finger and a dirty finger can cause issues, too. Some sensors use a second method to detect a live finger such as detecting a pulse or body heat.
There are two ways capacitive fingerprint sensors–the kind in most phones–can work: active or passive. Either way, each sensor element acts like a capacitor. For passive scanning, your finger forms the other plate of each capacitor. In active scanning, the sensor has both plates and your finger changes the expected capacitance.
Either way, these are cheap and fairly robust. The only problem is your finger has to come in close contact with the silicon sensor and that can cause problems if your finger has an electrostatic charge on it. Asking people to wear a wrist strap to unlock their phones isn’t practical, so the sensors require special construction to help them handle high voltages due to electrostatics.
Some recent phones use ultrasound to sense the dermal layer of your finger which also has the fingerprint ridges. These don’t have problems with dirt and even a scar on your finger won’t stop it from identifying you. It may even be less susceptible to fake-finger spoofing, but time will tell if that’s true or not.
So one way or another, you have a bitmapped image of a fingerprint. Now what? Apparently, there are three types of fingerprint patterns: arch, loop, and whorl. The arch is just what it sounds like and starts on one side of the finger and goes to the other. The loop doubles back and exits the same side it started. The whorl circles around a central point. Interestingly, family members often have similar fingerprint patterns, but even identical twins don’t have the exact same prints.
There are several algorithms for matching prints, but the most common one is the minutia matching algorithm. This looks at three things: where your ridges end, very short ridges, and places where ridges split into two. Based on those, there’s enough information to differentiate your print from most other people’s. You can find a short but scholarly paper describing the process if you want to try your own implementation. Or, if you search, there are multiple variations on GitHub, some based on later papers.
The algorithm isn’t foolproof, of course. But the chances of someone trying to unlock your phone randomly having the same pattern is pretty low. Google’s guidelines, for example, says the scanner can have no more than a 0.002% false positive rate. If 50,000 people try to unlock your phone, then, you can expect one of them will get in. Of course, if the one that gets in is the first one of the 50,000… maybe you should buy a lottery ticket if that happens.
GIVING YOUR PHONE THE FINGER
That’s how a fingerprint scanner works in a nutshell. Like I said, though, faking out a sensor isn’t that hard if you are committed (see the video below) so maybe you shouldn’t lock your bank password behind your fingerprint.
Of course, you have to wonder why we even have fingerprints or why they are just on our fingers. Scientists don’t know, but they have disproved the old notion that it helped us grip better.