Does Samsung Galaxy S8 bungle biometrics with insecure facial recognition?
On the Galaxy S8 and S8+, Samsung included not one, not two, but three biometric ways to unlock your phone: the fingerprint sensor, iris scanner and face recognition. Of these, Samsung touted the latter – face recognition – as a faster and more convenient alternative to iris scanning. What did it fail to mention? How easy it is to trick.
According to reports in the Korea Herald and a livestream from the launch event (via 9to5Google), the S8 and S8+'s facial recognition function can be tricked with the face of a sleeping person or even just a photo: A Periscope user at the NYC launch published a video showing the S8 being unlocked with his picture displayed on another phone. So at least based on demo models from the event, it appears the facial recognition mechanism can be bypassed by anyone with easily-obtained means and the desire to do so.
This apparent lack of security may come as a surprise to those with previous experience with the facial recognition features made possible with Windows Hello and devices like the Microsoft Surface Book. In those applications, facial recognition can't even be bypassed by identical twins; the Windows method uses near infrared imaging and a four-step software algorithm to curb errors. It sounds like Samsung took a more rudimentary and less secure approach.
However, for those who remember Android's Face Unlock feature, these problems sound familiar. The Face Unlock option was introduced with Android 4.0 back in 2011, and was found to have similar issues as those reported with the new Samsung devices. Incremental improvements have been made since then, but the current "Trusted Face" option in Android Nougat's Smart Lock feature is billed as a convenience rather than a protective measure: "This facial recognition is less secure than a PIN, pattern, or password," cautions Google.
Security-minded consumers may be scratching their heads as to why Samsung allowed these concessions. Biometrics expert Samir Nanavati, author of the book Biometrics: Identity Verification in a Networked World, provides some insight. For one there's a trade-off between lightning-quick convenience and security against false submissions. "How many anti-spoofing capabilities do you want to put in? When you put in more security measures, you run into other risks. It takes more time, more processing power, and it increases the likelihood of more false rejections."
So, in general, the more security measures are implemented, the less convenient it will be for the end user. But in the world of mobile technology, convenience is a key driving force behind consumer demand. In recent years, Nanavati explains, biometric measures like fingerprint sensors have become exceedingly fast – because that's what makes the public want them. "When a feature set becomes something that the public really wants, then more money can go into the actual security and performance of the feature." Presumably, after the promise of unrivaled convenience drives sales, "time, money and development efforts can go into improving it."
If this is Samsung's strategy, it could prove to be a divisive one. After all, it has effectively cluttered its gorgeous S8 series with three imperfect biometric tools. Apart from face recognition, its iris scanning is harder to spoof, but it is slower to use (though the experience has improved since our first encounter with it on the Note 7) and requires holding the phone at a precise angle. The fingerprint sensor, although relatively secure as well, has been moved to a less convenient location: Instead of being embedded in the home button, as with previous Galaxy devices, it's been placed off-center on the back of the phone.
We don't criticize Samsung for offering options, but it seems to be willfully oblique about the deficiencies of each. At its launch event and in marketing materials, face recognition is touted as a major convenience, in the same breath as security – and that's after making Note 7-fueled promises that customer safety (which goes hand-in-hand with security) is one of its utmost priorities. Since facial recognition can't be used for Samsung Pay, it appears the company is aware of its insufficiencies, but chooses to gloss over them.
Nor do we see the real value in three different options that in our view, fail to improve over a lightning-quick front-mounted fingerprint sensor. The biometric approach on the S8 series seems to be another example of high-end phone features that don't translate into an improved user experience. If you want to avoid getting price gouged for flashy features like these, it might make sense to avoid a premium flagship altogether.
Of course, there are other selling points and features on the Galaxy S8 and S8+, such as a striking display, impressive internals and an all-new virtual assistant. We're certainly not condemning the phones entirely before performing a full-length review.
In addition, it's not impossible that facial recognition could be fine-tuned before the official April 21 release date. We're not sure if the shortcomings in the demo units are due to hardware, software or both, but Nanavati points out that "in a consumer-based transactional system, where only a few users are on the system, it's less likely you'll run into hardware insufficiencies." It's more likely that problems are software-based, which will likely be continually refined.
Nevertheless, it's wise to keep a discerning eye on heavily-marketed "innovations" like facial recognition – they're not always what they seem.