While Samsung is touting what is ostensibly a smarter version of face unlock in the Galaxy S9, it seems the system is simply faster, rather than more secure, than its earlier attempts at face-recognition …
Both the Galaxy S8 and Note 8 were quickly shown to be defeated by photos and video. The company even tacitly admitted the security failings by not allowing face-recognition to be used for its mobile wallet service, Samsung Pay.
CNET reports that the S9 appears to first try the same low-security 2D face recognition system used in earlier devices, then attempt an iris scan if that doesn’t work, and finally combine the two if neither is successful on its own. The result is that unlock is quicker and more reliable, but no more secure.
One security researcher believes Samsung was trying to match the speed, rather than security, of Apple’s Face ID.
“They want to provide some level of security but also make it easy and effective for you to get into the phone,” said Andrew Blaich, a researcher with mobile security company Lookout. “This is probably trying to play catchup with how smooth the user experience is for the iPhone.”
The security researcher who successfully defeated the iris scanner in the Galaxy S8 says he can’t even see the sport in doing it again with the S9.
Jan Krissler, a security researcher known as “Starbug” with the hacking group Computer Chaos Club, exposed the Galaxy S8’s weaknesses last May when he fooled Iris Scan with a photo and contact lens. He said his group’s not interested in trying to crack Intelligent Scan if there’s nothing new.
“There is no fun in hacking just a new release of the same system,” Krissler said in an email.
And Samsung, once again, doesn’t allow Intelligent Scan to be used with Samsung Pay, seemingly confirming its own view of the level of security offered.