The Intelligent Scan security feature of the Samsung Galaxy S9 may not be as secure as it seems, as a report suggests the facial recognition technology it uses is a weaker component of the biometric-based system compared to Apple's Face ID used in the competing iPhone X.
Introduced in the Galaxy S9, Intelligent Scan is meant to use multiple biometric systems to unlock the smartphone quickly and securely. The device's facial recognition is initially used to authenticate the user, followed by the use of an iris scanner if it fails to unlock, with the results of both combined for a third check if both techniques fail.
According to CNET, while this can allow for the phone to unlock in sub-optimal conditions, this may seem to be a less secure system than Samsung portrays, due to its initial use of facial recognition on its own.
Samsung appears to have reused the facial recognition system used in the Galaxy S8 in the S9, which uses the front camera to create a map of the user's 2D face. In the case of the Galaxy S8, security researchers were able to fool the facial recognition system using a printed photograph of the registered device user.
In the case of Apple's Face ID, it uses the TrueDepth camera array to create a 3D facial map for comparison against the version stored in the Secure Enclave. The use of a dot projector creating 30,000 reference points on the user's face makes it impossible to beat with a simple photograph, and Apple also worked to harden the system against more advanced techniques, such as creating lifelike masks.
For Samsung's system, it is reported that improvements to RGB and infrared camera technologies will help make the Galaxy S9 recognize faces more successfully in harsher conditions. Samsung also claims its deep learning algorithms used for biometric security have been upgraded to detect spoofing attempts, like images.
While this implementation of Intelligent Scan may be less secure than possibly intended, Samsung apparently plans to make it more secure when it is integrated with other services. For using apps like Samsung Pass, its system for authenticating with websites using biometrics instead of a password, it will require authentication with either the iris or a combination of both the iris and the face, not facial recognition on its own.
For more important features like Samsung Pay, facial recognition will not play a part at all. Instead, users will have to enter a pin, scan their iris, or scan their fingerprint using the rear-mounted reader.
The continued use of 2D-based facial recognition technology despite the emergence of Apple's 3D-based Face ID hasn't gone unnoticed by analysts and security experts. Global Data analyst Avi Greengart called facial recognition 'an area where Samsung is clearly behind Apple," highlighting Apple's time and monetary investment into Face ID.
The speed of the system by using multiple sources does get some praise from Lookout security researcher Andrew Blaich, noting Samsung wants "to provide some level of security but also make it easy and effective for you to get into the phone." Even so, Blaich suggests "This is probably trying to play catchup with how smooth the user experience is for the iPhone."