fb-pixel Skip to main content

Fingerprint security isn’t foolproof

The Samsung Galaxy S5 has a fingerprint sensor for security but is alone in letting you use that for general shopping.Manu Fernandez /Associated Press

BARCELONA — Samsung’s upcoming Galaxy S5 smartphone will be at least the third to have a fingerprint sensor for security, but it’s alone in letting you use that for general shopping, thanks to a partnership with PayPal. The sensor brings convenience for entering passcodes and could encourage more people to lock their phones.

But fingerprint security isn’t foolproof. Here’s what to know as you consider whether to place your trust in it:How does it work?

The S5 has a sensor on the home button, just like Apple’s iPhone 5s. On the S5, you train the phone to recognize your finger by swiping on it seven times. You also enter a passcode as a backup, so you’re not locked out if the device doesn’t recognize your print. With an iPhone, that can happen if your hand is greasy or wet.


The phone then converts the fingerprint information into a mathematical representation, known as a hash, and stores that in a secure location on the device. Samsung says the information stays on the device and is never shared.

To unlock your phone, simply swipe on the home button. A hash is again created and must match the one the phone already has. Otherwise, the phone stays locked.

You can do this with up to three fingers on the S5, and five on the iPhone. On the S5, you must swipe down. On the iPhone, you simply hold your finger on the home button; you can do that sideways or upside down, as well.

The HTC One Max also has a fingerprint sensor, but Associated Press tests showed it to be inconsistent in recognizing prints.

What does a print do?All three devices let you skip the passcode and unlock the phone. You can also train the HTC phone to open a particular app automatically, depending on the finger used. Apple lets you use a finger for purchases at its iTunes store, but it’s keeping the system off-limits to outside parties. Samsung lets you make PayPal payments.

If you’re at a retail store that accepts mobile payments via PayPal’s app, for instance, you can use the fingerprint instead of a password. That’s also the case with online transactions using PayPal on the phone. The hash doesn’t get sent to PayPal. Rather, the phone confirms for PayPal that the fingerprint has been verified.


Is the security top-notch?

That depends. It’s more secure than not locking your phone at all, and more secure than using a four-digit passcode. But there’s no guarantee.

Shortly after Apple started selling the 5s, a German hacking group said it managed to bypass the fingerprint system, though it’s not easily pulled off in the real world.

Security experts point out that once a finger’s compromised, you can’t replace it the way you can a passcode. Some prefer dual security — using the fingerprint with something else, such as a passcode.

Should you use it?PayPal points out that it’s still performing the usual anti-fraud checks.

If an account is used to buy a TV in California five minutes after you buy coffee in New York, it will suspect something is up. If a phone is lost or stolen or a fingerprint compromised, you can deregister that device from future use.

Drew Blackard, at Samsung Electronics Co., says other systems have flaws, too.

It’s not bulletproof security, but it’s more secure than existing methods, he says.