In recent days, some bloggers have been surprised to find an interesting security flaw in the Samsung Galaxy S8's facial recognition technology. If you tried unlocking the S8 using a selfie, the device wouldn't be able to recognize the user's face and open it, would it? We contacted Samsung with this same question, and here's what they had to say about it.
Reviewing the official launch video of the new Galaxy, at exactly 25 minutes in, the Senior Vice President of Product Strategy for Samsung Justin Denison presented the new security options on their devices. Three features were highlighted as biometric authentication methods: an iris scanner, a fingerprint reader and facial recognition. During this part, he produced one of the best quotes of the whole presentation: “It isn’t just entering a password, you are the password!”.
And it's error-free, in theory. Facial recognition is a quick and easy way of locking and unlocking your smartphone, so Denison considered this to be a convenient feature. In fact, as he was talking, the words “Instant Access” popped up on the screen in the background. At that moment in time, you might have thought facial recognition was the best feature you could have to protect your smartphone: easy, fast and safe. After all, “you are the password.”
The reality is somewhat different. Anyone using a photo of the device's registered user's face could unlock the phone in a couple of seconds, and without any failures. In the video below you can see just how easy it is to unlock a Galaxy S8 in 20 seconds using a static image:
Official statement from Samsung Europe
After watching this video several times over the weekend, I decided to get in contact with Samsung to find out how it could it be possible to unlock a device using just the owner’s photo. Here is their official statement:
“The Galaxy S8 and the S8+ offer several levels of biometric authentication, the highest level of authentication associated with the iris and fingerprint scanner. Additionally, the Galaxy S8 offers users multiple options to unlock their devices using biometric security and convenient features such as swipe and facial recognition.
It’s important to reiterate that facial recognition, although convenient, can only be used to unlock the Galaxy S8 or the S8+ and, currently, it cannot be used to access Samsung Pay or Secure Folder."
As you can clearly see, at no time does the manufacturer recognize that the problem is being caused by the use of a demo or beta version of the software. However, it does makes it very clear that because it isn't secure enough to do so, “facial recognition can only be used to unlock the Galaxy S8 and it cannot be used to access Samsung Pay or Secure Folder.”
Just like at the Unpacked event, I was informed that facial recognition software is aimed at convenience and speed over security. This information is only shown to users when they first try to configure facial recognition as an unlocking feature on their device.
How reliable is the facial recognition on the Galaxy S8?
Let's face it - if a simple photo is enough to unlock the device, then facial recognition isn't reliable at all.
On a system level, the device scans the user and takes a photo of the user's face using the front camera. Here the camera will compare the specific details of this image with the picture of the person facing the camera, and then unlocks the phone. This works much faster than any other unlocking method as the image processing is done by the S8's powerful CPU coupled with the 8 MP camera's fast autofocus.
Facial recognition isn't a new feature for smartphones. It was first introduced in 2011 with the release of the Google Nexus 5 and Android 4.0. Due to the security problems which were associated with this feature, it was eventually removed as an option. At the time, the developers at Google were still working to optimize the feature, so users would need to blink to prove to the phone that they were physically there. In the end, they had to abandon the idea.
In all honesty, after everything that happened with the Galaxy Note 7 and Samsung's pledge to invest in better security, the decision to include this as a security option to unlock the phone, which can be cracked relatively easily, shows the manufacturer isn’t taking the market situation very seriously.
To me, Samsung’s facial recognition just seems like a tactic so it can avoid talking about why it decided to move the fingerprint reader to the back of the device - a move which has been attracting a lot of criticism.
Realistically, if you’re really looking for a convenient security feature, set up the Smart Lock instead. For the best security, use features such as the fingerprint reader, iris scanner, a PIN or a password.
Finally, I hope this option isn’t available on this device when it reaches the market on April, 21.
What do you think about facial recognition as a security option? Which unlock feature do you prefer to use? Let us know in the comments below.