Biometrics like fingerprint readers, iris scanners, and facial recognition are either the solution to passwords’ unmanageability or a fool’s-gold technology that will compromise us all. Both and neither are true.
The forthcoming Samsung Galaxy S8 introduces facial recognition to unlock the smartphone, becoming the fourth unlock option for Samsung’s flagship device, in addition to fingerprint reading, iris scanning, and good ol’ manually entered passwords. And mere days after its introduction, someone has already fooled the Galaxy S8’s facial recognition by showing the device a picture of the person. That would be an easy way to unlock someone else’s phone without their permission. (An earlier Google facial-recognition technology in 2011’s Android 4.0 Ice Cream Sandwich had the same flaw, by the way.)
Samsung’s lax implementation doesn’t mean that facial recognition is a bad idea. As in all security matters, the question is how deep to make the security mechanism for its intended use.
Samsung knows its facial recognition is not very secure, despite marketers’ hope that you think it is. In fact, Samsung doesn’t allow use of its facial-recognition technology for its Samsung Pay service or to access online banking. But it does let you use its smartphones’ fingerprint reader or iris scanner for those; those scanners are much harder to fool because they rely on greater biometric detail than the its facial-recognition implementation does.
Making passwords easier is a noble achievement
Facial recognition on the Galaxy S8 is really a user convenience (for faster password entry), not a true identity validation. That’s not a bad thing, as long as you understand that’s all it is.
The truth is most people fumble with passwords, so they don’t apply them to their phones unless forced to (such as when their employer requires a password to access corporate data over smartphones). That’s why Apple introduced its fingerprint scanner in 2013’s iPhone 5s: to ease password usage, as well as to make credit-card charges safer than using a plastic card (through Apple Pay). The fingerprint and iris scanners in subsequent Android devices have the same purposes. None is meant to provide spy-grade identity validation.
When Apple brought fingerprint reading to the iPhone 5s in 2013, people were able to fool it as well via techniques that a spy agency might use but not your routine hacker.
The issue is how much security is appropriate for the access provided. Unlocking a smartphone is a less sensitive activity than transferring money or boarding a plane. Could Samsung make S8’s facial recognition good enough to be as secure as its fingerprint scanning and iris scanning? Yes. Should it? That’s less clear.
How to amp up facial recognition’s identity accuracy
Facial recognition can be secure: British Airways is testing facial recognition at London’s Heathrow airport, for example, to replace boarding passes at the gate. That system requires travelers be scanned during security check-in with devices more capable than a smartphone camera, then does a facial scan at the gate to evaluate the match. That approach also time-limits the facial data; if you don’t go through security you won’t have a picture to be matched at the gate. And good luck using a photo to fool the cameras at the security check-in.
At a less extreme level, Microsoft uses depth perception in Windows 10’s Hello facial recognition technology for PCs, providing more assured identification than the Galaxy S8 does—for the few PCs with cameras up to the job, that is.
If Samsung’s Galaxy S8 camera added depth perception and perhaps forced a user to move his or her head, its facial recognition might be as secure as its fingerprint and iris scanning. But again the question is whether it’s worth the effort, given the other methods available on the Galaxy S8—and whether users and developers understand the difference in identity assurance across the smartphone’s biometric tools and thus don’t trust facial recognition for more than it is safe for.
It might be smarter to combine biometric methods
You hear a lot of talk about the importance of second-factor authentication, though most deployments rely on unsecure, SMS-transmitted codes. Well, the biometrics in mobile devices could bring effective second-factor authentication, even when by themselves they are not sufficiently verifiable. In other words, don’t assume that each individual security mechanism has to work at the highest levels; combining multiple methods might be a better approach.
For example, a device that supports multiple biometric methods as the Galaxy S8 does could use several readings to confirm identity. Combining facial recognition with a fingerprint scan, or iris scan with a fingerprint scan—or even all three—could provide much greater assured security for where that matters, like access to sensitive areas in a building.
Biometrics’ big risk is off-device
The storage of biometric data on servers and cloud services scares my colleague Roger Grimes, a security consultant and InfoWorld contributor, because if those repositories are hacked, we’re screwed. In an all-digital workflow, a hacker only has to access a system and inject the biometric data directly; no system could tell the biometric data came from you or a digital record.
That’s why the fingerprint reader in the iPhone, as well as the fingerprint readers and iris scanners in later Android devices, does not transmit your biometric data. Instead, it stores and verifies it in a secured chip on the device before sending your normal password to the service you’re trying to use, whether the phone-unlock feature or your banking login. That way, no one can intercept the digital bits that make up your biometric identification, and if they intercept the transmitted password, you can change that password to limit further damage. You of course can’t change your fingerprint or iris if its digital representation got compromised.
Biometrics aren’t the silver bullet to identify validation, and they could undermine our security if used improperly. The key, as in all security strategies, is to figure out the right balance for what you’re trying to secure and not rely on any one method.