Facial recognition on Samsung’s new phone has already been cracked

Samsung’s last flagship phone went up in smoke, literally and figuratively.

So the company went for something a bit cooler with the Galaxy S8, and supposedly more secure – facial recognition.

The theory seem to be that if your phone can reliably recognise you via the front-facing camera as soon as you pick it up, then you don’t need to press or swipe any buttons for it to wake up and unlock.

In other words, you get frictionless convenience and security, rather than convenience at the expense of security.

Set the marketing aside, however, and many of us have mixed feelings about facial recognition – it’s one of those technological developments that is neutral in its own right, but can go either way in real life.

A bit like Google Street View, for example.

My golly, but Street View is useful when you’re trying to find your way to a business in a town you’ve never visited before…

…but it gets a bit creepy when you take a look at your own street, and realise just how much lifestyle detail it reveals to anyone who cares to look.

So too with facial recognition.

Most of us would probably approve if facial recognition helped a border agent to detect a violent criminal trying to flee from justice using a stolen passport.

On the other hand, many of us would feel uneasy if facial recognition cameras in a shopping centre were used to track us walking round to guess where we were going next and what we might want to buy.

And all of us (except the crooks themselves, of course) would be hopping mad if facial recognition claimed that we were present at a crime scene when we weren’t.

The last-mentioned problem isn’t quite what has arisen in this case, but it’s not that far off.

Show me a photo

Simply put, Samsung’s soon-to-be-released new phone, the Galaxy S8, has been touted as including facial recognition software that can help to improve security in much the same way that fingerprint scanners have in recent years.

As we said at the start, this is, in theory, a great way of combining convenience and security…

…if, indeed, the security is up to scratch.

It hasn’t been all plain sailing for fingerprints, however.

Apple’s fingerprint sensor, introduced in the iPhone 5s back in 2013, quickly succumbed to German hackers equipped with woodglue.

They took a 2D picture of a fingerprint on a glass surface, printed out what you might call a 2.5D mould on a laser printer by turning up the toner to its thickest setting, and filled up the printout with woodglue to make fake fingerprints.

With a bit of spit to make the conductivity about right, the deception fooled the iPhone.

The same trick – which was already about a decade old when applied to the iPhone 5s – worked against Samsung’s own Galaxy S5 in 2014.

Nevertheless, as a basic factor of authentication, fingerprint sensors have proved surprisingly popular and successful.

Even though you leave partial copies of them all over the place, decent-quality fingerprint images aren’t as easy to get hold of as, say…

…photos of your face.

You can probably guess where this is going.

According to reports, Samsung’s facial recognition “unlock” system can be fooled simply by putting a photo on the screen of one phone and showing it to a second phone.

Apparently, it really is that easy.

What to do?

Don’t panic. You don’t have to use facial recognition to unlock your phone, any more than you have to use your fingerprints on present-day iPhones and Androids.

And even if you do use your fingerprint (or your picture, or your iris, or any other biometric factor), you don’t have to configure things so that one factor unlocks everything, in just the same way that you don’t have to stay logged into your webmail, your Twitter or your Facebook account all the time.

After all, if you are determined to maximise convenience and minimise security, most mobile phones will still let you choose the simplest possible “swipe to unlock” option, so there is plenty of chance to do the wrong thing already.

Here’s our plain-speaking advice:

  • Don’t make it too easy to unlock your phone. Aim for the greatest amount of inconvenience you think you can tolerate, plus a bit extra. Additional complexity will annoying for a while (for example, if you switch up to a 10- or 12-digit lock code, which means much more typing every time), but after a while it will become second nature.
  • Don’t shout at your work sysadmins if they enforce minimum levels of unlock complexity. After all, even if your phone contains a pile of juicy confidential data from work, it probably contains even more personal digital secrets from your world outside the office.So, heeding your sysadmins will not only protect your employer, your colleagues and your job, but will also protect your own online life.