Bad biometrics: Samsung’s new S10 phone

When biometrics work properly, they can provide you with an easy to use security solution with a reasonable level of assurance for most types of information.  But, when they are not implemented properly, they can leave important data unprotected and give us a false sense of security.

Samsung’s new Galaxy S10 phone is a case in point – it offers a biometric face recognition lock feature.  However, because Samsung chose to use a plain old 2D camera for the biometric feature, it turns out that the phone can be unlocked with pictures or videos of the authorized user.  In some cases, siblings of the authorized user can unlock the phone with their mugs as well.

In order to do facial recognition properly, you need to use a camera with special hardware, such as the ones in the iPhone.  Samsung used to have this hardware on its phones (the Note 7, 9 and S9 are all equipped with the proper hardware), but for some unknown reason, decided to cheap out on the S10.  The S8 is also prone to this problem, but offers a more secure Iris scanner based biometric function.

So what to do?

  • If you (or your loved ones) are using a Galaxy S8, make sure that you (or they) are using Iris Scanning and not facial recognition for unlocking.
  • If you (or your loved ones) are using a Galaxy S10, do not rely on the facial recognition feature to secure your phone.  Use fingerprint based security instead.
  • When choosing a new phone, if using biometric security is important to you, make sure that it is using a specialized 3D camera to do facial recognition.

Given the roles that our mobile phones play in our work, financial, and social lives, having someone gain unauthorized access to them can result in serious consequences. It seems to me that vendors have a responsibility to ensure that their implementations of biometrics can withstand these kinds of really simple attacks – better to not offer a broken biometric than offer a useless one!

Leave a Reply