Researchers have devised a low-cost smartphone attack that cracks the authentication fingerprint used to unlock the screen and perform other sensitive actions on a range of Android devices in as little as 45 minutes.
Dubbed BrutePrint by its creators, the attack requires an adversary to have physical control of a device when it is lost, stolen, temporarily surrendered, or unattended, for instance, while the owner is asleep. The objective: to gain the ability to perform a brute-force attack that tries huge numbers of fingerprint guesses until one is found that will unlock the device. The attack exploits vulnerabilities and weaknesses in the device SFA (smartphone fingerprint authentication).
So yes, you don’t want to leave your phone lying around, and you don’t want your fingerprint to be sitting in online databases (although normally only hashes of a fingerprint should be stored). But this does pose some really interesting possibilities for law enforcement… they can have you, your phone, and your fingerprints…