As posted on Video shows you can fool Samsung Galaxy S8 face unlock with a photo
But how secure is the S8’s face recognition for keeping your data from prying eyes? If this video is to be believed, not very.
In a Periscope video by Twitter user Marcianophone, the Galaxy S8’s face recognition unlock feature is shown being easily fooled by a selfie.
To recap, user Marcianophone registered his face on a Galaxy S8 at Wednesday’s Unpacked event. He then used another Galaxy S8 to snap a selfie and see if the original S8 would unlock with the photo.
Lo and behold, it worked!
Seeing the Galaxy S8 unlock with a photo is enough to make consumers worry. Still, keep in mind this is just one video, and the phones probably aren’t running final software. A Samsung spokesperson told Mashable over email that some media briefed on the phones prior to the Unpacked event (not us) had tried to use photos of themselves to bypass the face-unlock and it didn’t work. It’s definitely something we’ll have to test and verify for ourselves when we get the phones in for review.
And while the video makes a joke of the face-unlock feature, there are details we still don’t know, like how sharp do photos need to be in order to fool it, or can even a low-res photo do the trick? (In the test performed above, it’s an 8MP photo displayed on the S8’s high-res screen).
Why not just turn on the iris scanner, which can’t be fooled by a photo?
However, this still begs the question: What’s the point of having face recognition if someone could use a photo of your face to break into your phone? Why not just turn on the iris scanner, which can’t be fooled by a photo because it’s looking for the intricate patterns in your irises that can’t be reproduced in an image?
That’s a good question, and one that I’ve been wondering myself. The iris scanner on the S8 is even better than the one on the (now long dead) Galaxy Note 7, so I can’t fathom any reason you’d use face recognition instead. In my brief tests, using the iris scanner is just as fast.
When I previewed the phones, Samsung reps repeatedly told me face recognition is simply an alternative option to the fingerprint sensor, and they acknowledge it’s nowhere as secure as using the fingerprint sensor or the iris scanner as a form of security. Face recognition is meant to be a more convenient way to unlock the Galaxy S8. So if you want real peace of mind, you’re going to need to use one (or both) of the other two biometric options.
One way Samsung could make the S8’s face unlock feature just a little more secure is to update it to check for blinks, just like how the face unlock feature worked in stock Android 4.1 Jelly Bean (Weirdly enough, the feature, called Liveness Check, was removed in Android 4.4 KitKat and never returned). A high-resolution video of your face and eyes blinking could still, theoretically, fool such a system, but how likely is anyone to have footage of that lying around?