Remember the fuss about the FBI breaking into an iPhone? Well, it turns out that hacking into a phone isn’t so hard after all. You can even do it by “spoofing” someone’s fingerprint with ordinary children’s Play-Doh.
As you can see from the video above, Jason Chaikin, who runs a biometrics company called Vkansee, was able to open my iPhone 6 in a matter of minutes. All it took was a copy of my fingerprint and a little blob of Play-Doh to trick the smartphone’s TouchID technology into thinking it was me.
But it’s not just an Apple (AAPL) problem. Chaikin repeated the demonstration with two Android (GOOG) phones, unlocking a Samsung Galaxy S6 and a LG Nexus 5X. He also used the Play-Doh trick to fool the fingerprint sensor on a Microsoft Surface (MSFT) machine.
At a time of growing concern over cyber-security, these demos raise a worrisome question: Are the biometric features on our devices, which are intended to protect our privacy, actually a risk? The question is important at a time when devices contain a growing trove of information and when fingerprint-enabled phones are becoming a common means of payment.
Get Data Sheet, Fortune’s technology newsletter.
The short answer is “it depends,” both on who you are and how you use your phones. Based on interviews with security experts and device makers, fingerprints can never be more than an imperfect privacy solution.
How Vulnerable Are Our Fingerprints?
The sight of an iPhone unlocked with Play-Doh might be alarming, but consider this: Chaikin had to make a mold of my finger to do it and, most important, I agreed to help him. In the real world, this might mean that the only way cyber-scammers could get into your phone is by chopping your finger off.
But as it turns out, the Play-Doh hack is just the tip of the iceberg when it comes to spoofing fingerprints.
According to Nathaniel Couper-Noles of Neohapsis, a security firm owned by Cisco (CSCO), fingerprints are relatively easy to replicate. Law enforcement can obtain them, Sherlock Holmes-style, from desks or coffee cups and then make a mold. They can even be obtained without a physical print — Couper-Noles cited an episode at a recent security conference where hackers captured a print from a distance using a camera.
One option to address such vulnerabilities is through more fine-grained sensors, like one touted by Vkansee, which relies on higher-resolution images that are harder to spoof. The company, which says it is already working with major phone makers, insists its sensor technology is harder to fool in part because it can detect mini-sweat drops that are evidence of a real finger.
As for the device makers, they downplayed the risk posed by biometrics spoofing. In the case of Microsoft, a spokesperson cited the complexity of such attacks:
“[T]he risk of spoofing attacks on customers is extremely limited because the attacker would need to physically access the victim’s device and their face, iris or fingerprints, which requires multiple complex steps. The attacker would also need to successfully execute the attack within five attempts or the device would lock down and require a PIN to unlock.”
Meanwhile, an Apple spokesman declined to comment on the record but did point to a company security page on biometrics, describing security features of the TouchID system. These features (similar to what Microsoft offers) include a password requirement after repeat attempts along with a system meant to ensure no copy of a fingerprint remains on the phone or on Apple servers.
Neither company, however, stated that their biometric features could not be spoofed. Samsung did not offer a comment.
Don’t Depend on Biometrics
Companies are unlikely to develop sensors that can thwart sophisticated spoofers anytime soon. But that doesn’t mean it’s a bad idea for consumers to use them for everyday activities.
According to security expert Rich Mogull of Securosis, companies never intended fingerprint features like TouchID to be perfectly secure in the first place. Instead, they are designed to be “good enough” tools that will work for most people, most of the time.
“You can get around almost any biometric phones out there. I don’t get really worried when I see a new way to circumvent these devices as long as it takes a modicum of effort,” Mogull says.
Mogull explains that, even though his line of work makes him a target for hackers, he still uses TouchID most of the time. Yet in highly-sensitive situations, he’ll elect to turn the feature off and rely on his long passcode instead. He also points out that Apple recognizes the limit of fingerprint authentication, which is why it requires a passcode after 48 hours or after the phone is restarted.
For more about iPhone security, watch:
Mogull adds that some people, including many drug dealers, avoid using fingerprint sensors not only for security reasons, but for legal ones as well. While courts can compel a suspect to provide a fingerprint sample (in the same way they can require a blood test), they can’t demand someone disclose their password. This is because the law can require a physical act, but it can’t require someone to share what’s in their mind.
Ultimately, Mogull stresses the best form of security is a three-tier system described as “something you have, something you know and something you are.” Translation: 1) a token or pass code from the company; 2) a secret passcode only you know; 3) a distinct biometric quality like your fingerprint or iris.
But for ordinary people, most device owners will be just fine using their thumbprints. As for the Play-Doh hack, the only person likely to use this against you is someone you live with—and they probably know most of your secrets anyways.
