Can Selfies Compromise Your Fingerprint Security?
Can Selfies Compromise Your Fingerprint Security?
Submitted by John Lister on Tue, 06/02/2026 - 11:45
Experts are divided about whether selfie photographs could threaten fingerprint security. The most plausible explanation is that it's theoretically possible but doesn't pose a meaningful threat to the average user.
The theory is simple: today's phone cameras have a high enough resolution that an image which has a close enough view of fingerprints could give enough detail for an "AI-assisted" tool to reconstruct the full biometric details. In turn, that could mean attackers overcoming fingerprint security.
It appears the idea took hold on a Chinese social media post which noted that the trend for making a peace sign (with the palm pointing to the camera) in a selfie gives a clear and unobstructed view of the fingertips. That quickly spread to social media sites in other languages and attracted enough attention that a Sherrif's Office in Oklahoma issued a warning to the public. (Source: ktul.com)
Real Threat or Overhyped?
Newsweek found a Microsoft worker willing to say the threat of such an attack was "real, underappreciated, and accelerating." He also noted a common criticism of biometric identification: by definition, a compromised ID can't be reset and changed in the same way as a password. (Source: newsweek.com)
However, other experts are less concerned. CBS quoted one saying only that it was theoretically possible, while another was blunter, saying "You have a better chance of being hit by a car tomorrow than this happening to you in your lifetime." (Source: cbsnews.com)
Even if the fingerprint could be replicated in sufficient detail, the big limitation is that biometric identification is almost always linked to a specific device. That means an attacker would need physical access to the victim's device rather than just being able to target somebody online.
Targeted Risks and Safety Tips
It's also extremely unclear whether, even with AI-powered tools, it's possible to extract enough detail from an image to recreate a fingerprint to the level of precision needed to count as a match on a biometric login.
The chances are that even if such an attack method is (or later becomes) viable, it would almost certainly be targeted at specific individuals. This could include people likely to have highly sensitive information on their devices, or people whose fingerprints are used to gain physical access to secure buildings.
Most of the advice experts have given following this story is more useful rather than being restricted to this threat. For example, using two factor authentication (where a password or specific location is needed to access an account as well as the fingerprint), or restricting social media image posts to be viewable by known contacts and friends only.
What's Your Opinion?
Do you buy this as a credible risk either today or in the future? Do you worry about biometric login being compromised? Will this story change anything about the way you use devices?
Rate this article:
Category:
Need Help? Ask!
My name is Dennis Faas and I am a senior systems administrator and IT technical analyst specializing in technical support and cyber crimes with over 30 years experience; I also run this website! If you need technical assistance , I can help. Click here to email me now; optionally, you can review my resume here. You can also read how I can fix your computer over the Internet (also includes user reviews).
My name is Dennis Faas and I am a senior systems administrator and IT technical analyst specializing in technical support and cyber crimes with over 30 years experience; I also run this website! If you need technical assistance , I can help. Click here to email me now; optionally, you can review my resume here. You can also read how I can fix your computer over the Internet (also includes user reviews).
We are BBB Accredited
We are BBB accredited (A+ rating), celebrating 25 years of excellence! Click to view our rating on the BBB.
Comments
Not likely to happen, but here's a real life scenario
I doubt very much that fingerprint theft from a selfie is likely to affect the average person, at least not in the way the headline suggests. But the broader issue - losing control of biometric or device-based access - is very real.
Here is a real-life example.
A client recently hired me to build a custom virtual machine for email after her old server, where her email had been hosted, was being shut down. As part of the process, I needed access to her Gmail account to approve a website domain transfer.
When I tried logging in from my office, Gmail immediately flagged the login as suspicious. That part worked exactly as expected. She had to approve the login from her phone using a two-digit prompt before I could get in.
Once she approved it, however, I was able to save the login as a passkey on my device.
That is where things get interesting.
A passkey is not the same thing as a password. With a password, the account is protected by a string of characters. Anyone who knows that string can attempt to log in. With a passkey, the device holds a private key, while the website holds the matching public key. The private key never gets typed in, reused, or shared the way a password does.
The client later became nervous about having given me her Gmail password, so she changed it again. That was understandable. But changing the password did not remove the passkey that had already been saved to my device. I still had access because the passkey had become an independent login method.
To revoke a passkey from a Google Account, the account owner has to go into the account security settings and explicitly remove that specific passkey or sign that device out. Changing the password does not automatically revoke existing passkeys, because passkeys do not rely on the password anymore.
That is the real lesson here.
Even if someone could somehow extract a fingerprint from a photo, the bigger obstacle is still account approval and device trust. In most cases, the account owner would still have to approve the login because it would be coming from an unfamiliar device.
But if the owner did approve it, and that login then became a trusted device or saved passkey, removing that access is much more confusing than simply changing a password. Most people know how to change a password. Far fewer know how to audit passkeys, trusted devices, active sessions, recovery methods, app permissions, and account security settings.
That is where the situation can become a living hell.
The real danger is not just that someone has access to the account. The danger is that the account owner may think changing the password was enough, when in reality the unauthorized access may still be active through a saved passkey, trusted device, active session, recovery method, or another security setting they do not know to check.
Now imagine that same email account is tied to the person's bank account, credit cards, PayPal account, business accounts, domain registrations, or password recovery options. The victim changes the Gmail password and assumes the problem is fixed, but the attacker may still be able to receive security alerts, approve logins, reset passwords, intercept recovery messages, or monitor financial activity.
At that point, the victim may believe they locked the front door, while the attacker is still inside the house with another key.
For the average person, that is much harder to understand than a stolen password. They may not know to check passkeys, trusted devices, active sessions, recovery email addresses, authentication methods, app permissions, and account activity. So they keep changing the password, but the risk remains because the real access point was never removed.
So no, I do not think most people need to panic about peace-sign selfies. But I do think people should understand that modern login systems are no longer just about passwords. Once a device is trusted, removing access can be far more obscure than people realize.
That is the nightmare scenario: someone gains access to a critical account, the victim thinks they fixed it by changing the password, and the attacker continues to have a path back in. If that account is connected to banking or financial recovery, the consequences can go from inconvenient to financially devastating very quickly.