FYI.

This story is over 5 years old.

With Ultrasonic Fingerprint Sensing, Google's Security Could Beat Apple's

Qualcomm's ultrasonic fingerprint scanners could secure Google's new Android Pay platform.
​Image: Flickr/​William Clifford

Qualcomm announced an ultrasonic fingerprint scanner for its Snapdragon chip—widely used in Android phones—this morning. The tech promises to both end the struggle of trying to get Apple's Touch ID to recognize your bare, shivering thumb in subzero temperatures and make transactions more secure on Android Pay, Google's newly announced payment platform, according to reports.

If the two technologies are meant to go hand-in-hand, it means that the race for supremacy in the device-based transaction market between Apple and Google is on, with biometric security at the center. Apple Pay is already in front after being the first phone manufacturer to include fingerprint ID tech in its devices, and the company recently solidified a partnership with the federal government to use the service for federal applications like national parks.

Advertisement

But security flaws in Apple's Touch ID have been demonstrated by hackers, and ultrasonic fingerprint scanning is considered to be more secure than the kinds of optical scanning—basically taking a close-up image of your print—that Apple uses in its Touch ID system. Better security could push Google ahead of its competition.

So, how the hell does an ultrasonic fingerprint scanner work?​

Ultrasonic scanners send ultrasonic sound frequencies—the kind that our human ears can't detect—into the fingertip and capturing the echoes with a sensor. This forms a detailed 3D image of the print's ridges and valleys at the subdermal layer, just below the immediate surface of the skin.

"Out in the field, your fingers are not primed for good, clean fingerprints," said Venu Govindaraju, director of the ​Center for Unified Biometrics and Sensors at the University of Buffalo. "Ultrasonic technology helps because it actually pierces through and gets the images of the ridges of the fingerprint under [dirt] and creates a three dimensional image that makes it more resistant to spoofing than optical sensors." In other words, ultrasonic sensing is considered to be more accurate than other methods, and hence more secure.

For some context, German hackers figured out a way to trick Apple's Touch ID within 24 hours of the iPhone 5 being released in Germany. At the time, all they had to do—and this is no doubt still complex for the average person—was to copy and spoof a user's fingerprint with a glue mock-up and put it on their own thumb before pressing it against the sensor.

Advertisement

The detailed 3D picture of the subdermal fingerprint provided by ultrasonic imaging would, ostensibly, make Qualcomm's fingerprint scanner a bit harder to fool because the spoofed print would have to be much more detailed and elaborate to mimic the micro-scale subtleties of a subdermal print in three dimensions. "If you have dirt or other things on the finger, like some kind of gummy mask, the ultrasound can actually go deeper and get you the fingerprint image," said Govindaraju.

Ultrasonic fingerprint scanning has been of interest to law enforcement and the military for decades longer than the private sector; a testament to how secure the tech is considered to be. The first ultrasonic fingerprint scanner was built in 1996 by Ultra-Scan, a Buffalo, New York-based company. Ultra-Scan's first government contract for ultrasonic tech in 2001 saw the company developing a PC-based USB ultrasonic scanner for the US Drug Enforcement Agency. John Schneider, Ultra-Scan's founder, had been working on fingerprint identification technology for the FBI since the 1970s with the Calspan Corporation, a former Cornell University offshoot.

Spoofing ultrasonic fingerprint tech will be a challenge to hackers, no doubt, but not an insurmountable one, Govindaraju explained.

"If you're willing to spend $15,000 on something, maybe you can spoof it; the bar has gone higher," said Govindaraju. "But, in general, anything can be spoofed if you invest enough into it." When it comes to obtaining financial information or intercepting transactions, however, thousands of dollars and hundreds of hours of work may be worth the trouble.​