How Do Fingerprint Biometric Authentication Mechanisms Work?
More than a hundred years ago, humanity learned how to identify individuals by their fingerprints. Today, this technology is used in nearly every other smartphone and significantly increases security compared to PIN codes. But how exactly do these scanners work? I got curious, did some research, and here’s what I found.
Types of Fingerprint Scanners
There are several different ways to capture a fingerprint image. Let’s break them down one by one.
Optical Scanners
This type of sensor works on a simple principle: there’s a photosensitive matrix (usually a CCD, like those used in many modern cameras) and several small light emitters that illuminate the surface of your finger.
The light reflects off the ridges and valleys of your fingerprint, and depending on whether the light hits a ridge or a valley, its intensity varies. The outer glass of such a scanner is thin to create the effect of total internal reflection. Because of this, light at the points where your skin touches the glass—on the ridges—is completely reflected into the photosensor.
You can observe this phenomenon with a glass of water: press your finger against one side of the glass and look from the other—you’ll clearly see your fingerprint.
However, these sensors are quite bulky, requiring a large camera and a small light emitter, so they’re rarely used. There’s another problem: light can reflect the same way from skin and other materials, making it too easy to fake a fingerprint.
Semiconductor Scanners
These scanners use semiconductors that change their properties when touched. They respond to various parameters: heat, conductivity, and pressure.
- Thermal sensors react to changes in the semiconductor’s conductivity depending on temperature. Air and skin transfer heat at different rates, so the sensors detect this and create a fingerprint image.
- Pressure sensors respond to the pressure of each tiny section of skin on the conductor’s surface, registering the difference between ridges and valleys. However, these scanners are very fragile and practically useless: any excessive pressure can break part of the sensors, rendering the scanner inoperable.
- Capacitive sensors use CMOS sensors that act as tiny capacitors, passing a small charge through the surface of your finger. Air and skin have different abilities to insulate electric current: the greater the capacitor’s capacity, the more air is between the sensor and the skin.
The last method is the most versatile: such sensors are compact and can contain up to forty thousand sensors per square centimeter. This is the type used in most Apple, Xiaomi, Samsung, and other leading mobile devices.
While these scanners are harder to fool than optical ones, it’s still possible to create a fake: not only skin has the properties these scanners rely on. However, making such a fake is much more difficult—it requires precise materials, a quality print, and a small lab.
Ultrasonic Scanners
Ultrasonic sensors use precise timing and a principle similar to sonar: an emitter sends out a high-frequency pulse, which reflects off the surface of your finger and is detected by a sensor. The signal that hits a valley travels a longer path and takes more time to return than the signal reflected from a ridge.
This allows the sensor to create a detailed image of the fingerprint pattern, taking into account not just the touch itself but also the depth of each section of skin. This makes the image even more accurate, though scanning takes longer and the device is more expensive to produce.
Besides high accuracy, ultrasonic scanners have another significant advantage: they don’t require a separate surface and can work through any dense material. This makes it possible—and relatively easy—to integrate a fingerprint scanner directly into a screen.
Smartphone manufacturers are already implementing this technology in some of the latest models: the Samsung S10 Plus, Huawei P30 Pro, OnePlus 7, and Xiaomi Mi 9 all have in-screen fingerprint scanners.
Fingerprint Analysis and Comparison
A fingerprint consists of a set of repeating patterns—shapes. Most often, analysis is based on these patterns.
Fingerprint Pattern Characteristics
Each characteristic falls into one of two groups: global, which can be seen with the naked eye, and local, which are features of each individual ridge.
- Arch, loop, and whorl are the most common global patterns. You can even look at your own finger and find them, as everyone has these features. However, they’re not unique enough for precise identification. Instead, they’re used to filter out unnecessary records in large fingerprint databases, like those used by law enforcement.
- Local features—minutiae—are much more interesting for analysis. What matters is not only what they are, but also where they are located in the image. Minutiae are simple geometric shapes that can be detected by scanning the image.
There are two types of local characteristics: ridge endings and bifurcations. You can find them on a fingerprint image, but it’s almost impossible to see them on your own finger without a magnifying glass.
Image Processing
The fingerprint image is converted to black and white, then reduced so that each ridge is only one pixel wide. After these transformations, analyzing the fingerprint becomes easier and more convenient.
The next step is to break the image into separate blocks, each three by three pixels, with a filled ridge pixel in the center. If there is exactly one or three other ridge pixels around the center, the block is considered a characteristic, and its type and coordinates are saved in memory.
If the block is a ridge ending, the ridge must enter the center but not exit. If it’s a bifurcation, one ridge enters the center and two exit—three lines meet at one point.
The data for each block, along with the type of local pattern, are stored in memory and used for comparison during authentication.
Fingerprint Comparison
To compare fingerprints, the scanner must rescan, process the image, and break it into blocks again. This allows for comparison even if the finger’s position has changed between scans.
Comparing the blocks isn’t as simple as it sounds: first, the system must compensate for any shift or rotation of the finger. This is usually done by trying different alignments (though some scanners just ignore prints that are too misaligned). Then, blocks are compared in pairs, and the program tries to find two blocks of the same type in the same place.
The proportion of such matching pairs out of the total number of characteristics serves as the algorithm’s “confidence” that the fingerprints belong to the same person. You might be surprised, but for one person, this match rate is only 45–55%.
This happens because fingerprint quality is far from perfect. Due to dirt or an imprecisely placed finger, entire sections of the image may be unavailable for analysis. Still, in most cases, even a 40% match is enough for the scanner to reliably identify a person.
Fingerprint Data Protection
What do the “fingerprints” stored in memory look like? After analysis, they become descriptions of the positions and types of blocks. These data are usually encrypted or stored in special internal memory (protected by the operating system) or in a separate chip for storing keys and passwords. Typically, AES encryption with a key length of over 128 bits is used, ensuring complete security of our biometric data. For example, in Apple devices, this key is stored in the Secure Enclave system, which is located on a separate chip. Android smartphone manufacturers solve this in different ways—often using Qualcomm’s secure execution chips (like Qualcomm Trusted Execution Environment) or ARM TrustZone.
Conclusion
As you can see, there’s nothing particularly complicated about fingerprint scanners: none of the mechanisms used here are major breakthroughs in physics or computer science. However, the convenient combination of all these small parts and algorithms into one device allows us to spend less time on things like entering passwords.