When Apple first introduced Face ID on the iPhone X, many Android fans pointed out that Android phones had face unlock features first. The specifically pointed to Samsung, one of the largest manufacturers to first incorporate the feature. However, this was always an unfair assessment, and now it could put customers in danger.
Apple’s Face ID uses a system of cameras, an IR dot matrix, and an IR flood illuminator. The dot matrix is unique to each phone, created using a process that ensures it’s completely random. There are more than 30,000 dots projected on your face, ensuring that no two Face ID devices are alike.
With the two cameras and the dot matrix, Apple’s Face ID can create a 3D map of your face. It can watch your eyes for attention, and ensure that your face is, indeed, your face. It’s highly secure, unless you have an identical twin or you’re a young child with closely aged siblings, but Apple’s even working on ways for Face ID to differentiate between identical twins.
A photo can’t fool Face ID. In fact, you pretty much need a 3D printed mask with realistic skin tones and realistic eyes to trick it. Those are too complex for any hacker, and take longer to generate than the 8 hours you can unlock your phone with Face ID with.
Face Unlock on the Samsung Galaxy S10 is a bit different. It has a single camera on the S10 and S10e, and two on the S10+. However, those cameras aren’t doing clever 3D mapping of your face. They’re not using a dot matrix or an IR illuminator. They’re just looking at a photo of your face.
That’s why they can be fooled by a photo of your face.
How to Fool a Galaxy S10 with a Photo
It’s simple, take a photo of the target, hold it up to the phone, and it unlocks! This even works with Samsung’s “Faster Recognition” feature disabled. With Faster Recognition disabled, the phone uses the most accurate scan of a person’s face it can muster. As a result, it should be more secure. Instead, a simple photograph can fool it, as you can see below.
The Danger of “We Have That Too!”
When Samsung looks at Face ID on the iPhone and exclaims, “Oh, we have Face Unlock too,” they send a message to users and potential users that their technology is as secure as Apple’s. As you can see above, it’s not. If customers think their phones are secure, and they use Samsung’s Face Unlock technology, they’re putting themselves in danger. Samsung is using the fact that people trust Apple’s security features to market their own insecure features. That’s going to lead to many users putting themselves in harm’s way.
What Should You Do?
If you don’t want to use a pattern or passcode for unlocking your Samsung device, I recommend using Samsung’s ultrasonic fingerprint scanner. On the Samsung Galaxy S10 and S10+, this is inside the screen at the bottom of the display. This is far more secure than Samsung’s Face Unlock. On the S10e, an optical fingerprint sensor is located in the power button. Because it’s thinner and can’t scan your entire fingerprint, it may not be quite as secure. I don’t know how easily it can be fooled. However, ultrasonic fingerprint sensors are more secure than optical sensors, and therefore should be secure.
Of course, if security is important to you, the best thing to do is always lock your phone with a long, 10+ digit passcode.
Source: Rizwan Anwar, TechEngage