3

My phone has a fingerprint lock and it sometimes fails to identify my fingerprint (for example, if it wasn't positioned correctly).

If I fail fingerprint identification 5 times in a row, I'm locked out for 30 seconds. This is very annoying for the user (me).

What's the security benefit here? Is there a way to brute-force fingerprints?

ColBeseder
  • 320
  • 3
  • 11

1 Answers1

2

Any delay would be a security benefit. One way to look at it is that everything can be cracked, it is just a matter of time. By adding delays, one is increasing the amount of time it takes to break the security. You want the time it takes to crack to be longer than the time the item needs to be secure.

In the case of fingerprints, the fingerprint gets turned into a number. Numbers can be brute-forced.

Stephen Spencer
  • 1,042
  • 8
  • 8
  • This doesn't really explain the attack this prevents. How do you brute force a fingerprint lock? Although you gave enough clues that I think I have some idea. – ColBeseder May 20 '16 at 08:58
  • 1
    We can agree that the security benefit to having a lock-out is the increase in time it takes to brute force entry. Can a fingerprint sensor be brute-forced? Yes. There are plenty of examples online of various sensors being spoofed. If it can be spoofed, it can be automated. If it can be automated, it can be brute-forced. It may not be as easy or convienent as passwords, but It can be done. Where can I get millions of fingerprints to try? The OPM hack had a couple of million to try out. Question behind the question: Will *my* phone be brute-forced? Probably not. – Stephen Spencer May 20 '16 at 15:05