If a fingerprint scanner were a human it would probably be like this:
- take a photo of the finger presented for authentication
- check it against the original photo to determine if it's the same.
This would lead to the problem that the process has a copy of the scanned finger and anyone stealing this then owns/pwns a 'password' of mine that I can never change. Obviously they may have other challenges in using that password, but they have it nonetheless, so if an opportunity arises they can use it.
I've stayed away from using my fingerprint scanner on my phone (FWIW Moto G5s) because I'm not sure whether it's a risk like the above.
Is the data that real phone fingerprint scanners generate and store for comparison something that can be stolen? Or is it something that's always going to be unique to that device - e.g. is it salted or such?
And if it is sensitive, do apps that use the scanner have access to it, or would that normally be left to the phone's OS (Android in this case) and an app just gets back an un/authenticated response?
Asking because I'm trying to answer:
Does my phone have a stealable copy of my unchangeable fingerprint on it (e.g. attacker steals device, could get access to my fingerprint - or access to some data that would be enough to present as my fingerprint)
Does my phone's OS have a stealable copy? I ask this because I'm wondering whether that means I'm trusting it to Google / Apple etc.
Do my phones's apps have access to that? (obviously this vastly increases the vulnerability area if so)
I've looked online and I understand that scanners don't usually store a photographic scan, but some key things that can identify unique properties, but if those unique properties are ... unique ... then they could be stealable?