Samsung's Galaxy S8 facial recognition feature defeated with digital photo
Samsung with its Galaxy S8 introduced a new device unlock feature based on facial recognition software, but it seems all it takes to bypass the low-level security layer is a photo of a registered user.
As seen in the video below, YouTuber Marcianotech was able to spend some time with the Galaxy S8 at Samsung's launch event on Thursday. After a few minutes of playing with the device, he was able to successfully defeat the handset's facial recognition function with a picture of his face (captured on another S8 no less).
It seems that Samsung's biometric security feature relies on image fingerprinting or similar methods of recognizing prominent features in a captured image. These techniques use complex algorithms to measure the size, shape and distances between a user's eyes, nose, and mouth, as well as other identifying facial features.
Since such systems use common 2D cameras, they can be defeated using 2D images. There are, however, technologies that help bolster 2D facial recognition solutions. For example, facial motion capture might be applied to detect whether or not a target face is moving, bettering the chances that received imagery depicts a live human face rather than a photo or video.
In any case, it appears the facial recognition software built into Samsung's S8 and S8+ does not incorporate safeguards beyond industry standard 2D image fingerprinting.
For its part, Samsung in a statement to ArsTechnica said its new facial recognition feature only controls device unlocking and is not applied to more sensitive tasks like mobile payments or accessing the handset's Secure Folder.
The Galaxy S8 provides various levels of biometric authentication, with the highest level of authentication from the iris scanner and fingerprint reader. In addition, the Galaxy S8 provides users with multiple options to unlock their phones through both biometric security options, and convenient options such as swipe and facial recognition. It is important to reiterate that facial recognition, while convenient, can only be used for opening your Galaxy S8 and currently cannot be used to authenticate access to Samsung Pay or Secure Folder.
Still, with Samsung marketing facial recognition as a security feature, users could be expecting a bit more from the new functionality.
Perhaps not coincidentally, Apple is also rumored to debut some form of facial recognition technology in its upcoming "iPhone 8" smartphone later this year. According to KGI analyst Ming-Chi Kuo, Apple's version is believed to integrate specialized IR transmitters and receivers to accomplish enhanced 3D sensing and modeling capabilities, or depth mapping. The system should provide a more accurate representation of a user's face as compared to conventional 2D systems.
As AppleInsider explained earlier this month, however, it is unlikely that Apple intends to replace existing Touch ID fingerprint authentication with a face-based biometric solution. Because face-based technology is still being refined, Apple's facial rumored facial recognition system will likely power ancillary, opt-in functionality, while Touch ID handles critical tasks. At least in the near term.