How good are selfies these days? Good enough to fool Samsung Galaxy S8 biometrics

Re: The current UNsecurity situation is a farce

"Another day another vulnerability 'that was considered impossible'... We need the 'Monty-Python' boys back to highlight the insanity of the path we're treading and bring realization to a deaf 'Tech Industry' and dumb 'Political / Regulatory' structure:"

Biometrics are for usernames only, and even that's a security risk. If you can't change it at will, it's not a password.

Re: Best feature of the sensor

Thieves are stupid, they probably still will steal your eyes. Yet another problem of biometry.

Patterns are pretty good for basic security and passphrased-based mnemonics can be used in a keychain for authorisations. But not using your phone for financial stuff is advisable anyway.

"And yes, I know plenty of people with memories that bad, which is why they can only go to brick-and-mortar branches and use cards that don't require PINs."

If I draw money over the counter at my Barclays branch - the teller always passes me a PinSentry device and expects me to use my ATM card and pin code to authorise the transaction.

Using biometrics requires you also set up a PIN which is used to unlock the phone for the first time after the phone is restarted, to perform certain setting changes and as a back up to the biometrics.

Re: Three pillars of identity

Actually that "Something you are" part is very bad, as in reality you want to give up your security in certain situations, i.e. when you face actual danger to yourself. It's much easier to give someone your password than having your finger cut off, or your eye removed. Stupid attackers may do that.

To any smart attacker, Biometrics is not a hurdle at all, particually the stupid things like scanning irises.

Re: Three pillars of identity

So what happens when you have a terrible memory (meaning there's little you know) and you tend to travel with little and keep losing things (meaning there's little you have) and you STILL need a strong identity?

Re: Three pillars of identity

No, just forget biometrics. I said from the start it was just a Hollywood trope and doomed.

Anything that can't be changed is no use for security.

Also people believe computers, so you only have to hack in a desired biometric. It's worse than a password or dongle BECAUSE the real person can't easily change it without fake skin or contact lenses etc.

Re: Three pillars of identity

- Something you have (a piece of hardware)

- Something you are (Biometrics)

Those two are (mostly[1]) functionally identical.

[1] Yes, yes - I know you can't change your fingerprints[2] like you can a 2FA device..

[2] If you have them. EldestBrother (being a chainsaw wielding manual-working tree monkey) doesn't really have any..

Re: If does not matter

Nah, everyone was expecting this as all the camera-based unlock are pretty awful.

They kind of have to be because of their speed and user intolerance of false negatives.

I assume someone has broken the face recognition as well.

Re: If does not matter

You do realise Seagate bought Samsung's hard-drive biz back in 2011 for $1.4b right...?

Re: phew

Thank you for that. You actually made me laugh out loud.

Re: phew

So glad to hear someone else has cracked this

Some decades ago (when I was young and dinosaurs lived in data centres) the Nationwide Building Society had an iris recognition trial so see if it could be used to access bank accounts. They spent quite a bit of money on the trial with the (then) state of the art optics and computing.

About half-way through the trial is was withdrawn and never mentioned again.

Re: Hardly a big deal

It is possible to have your phone stolen by someone you know.

It is possible to have your phone stolen by someone who uses some ruse to obtain a photo first.

It is possible that the information on your phone has a distinct, unique value that will tempt criminals to go to the lengths necessary.

Yes, for most people the chances of these things happening are smaller than your everyday mugger. But the point of testing things in this manner is they demonstrate how it can be done. It therefore follows that, guaranteed, some criminals will perfect a way of doing it in a practical manner in real life. So the fact remains that this method of securing devices is fundamentally flawed. As long as you make your 'key' something that is in public view, and can be copied with increasing ease, accuracy and fidelity, then your 'key' is not secure.

Re: Iris scans can be done properly

So you are proposing a system that can recognise specific irises?

The samsung one just seems to recognise that it is an iris !

This could also work with passwords - rather than just have the computer recognise that you entered some sort of random collection of letters that was probably a password

Re: Iris scans can be done properly

"This is similar to proper fingerprint scanners which should incorporate IR Doppler to detect flowing blood under the skin."

Does that also defeat the gummy fingerprint on top of someone else's finger which would have live blood flow and everything?

Re: Other Options

So what if they take your phone and then use it to make incriminating phone calls or texts in your name?