How good are selfies these days? Good enough to fool Samsung Galaxy S8 biometrics

Best feature of the sensor

Thieves do not have to steal your eyes to authenticate.

But what if you have a terrible memory and can't remember a PIN. And yes, I know plenty of people with memories that bad, which is why they can only go to brick-and-mortar branches and use cards that don't require PINs.

Three pillars of identity

This (and all the other form of biometric & password hacks) is why security should be made of three things:

- Something you know (a passswod)

- Something you have (a piece of hardware)

- Something you are (Biometrics)

Any one on its own is not strong enough.

If does not matter

Samsung is not Apple so it will be forgotten in the same time if take for a Daily Mail headline to decay.

Unsure?

How many times to Apple haters trot out 'you are holding it wrong' a year?

You can make your own mind up but I get the feeling that this is a bit of tech that Samsung has rushed out in order to beat Cupertino to the market.

I won't touch Samsung branded kit with a bargepole. The stack of dead Samsung HDD's in my office is my reason for the boycott.

Obviously they had fun with it...

... as there also is a version of the video with commentary in the style of a popular children's show in Germany:

https://media.ccc.de/v/biometrie-s8-iris-fun

Windows Hello

My understanding is that Microsoft's "Windows Hello" (what a crap name) does a combo of iris and facial recognition. The phones suck as they can only do iris recognition so I'd imagine have the same problems as reported in this article, however the version used on their Surface range is not only significantly faster and more accurate than their mobile efforts, I don't believe it's been tricked / hacked / spoofed yet into unlocking a device without the owner being present.

I believe that the PC version of Windows Hello builds a 3D model of your face which it uses along with an iris scan. Due to the width restrictions of modern phones it's not possible to have an array of three cameras (one infrared plus two for the 3D face scan) thus crap on phones but excellent on laptops.

Personally I'm sticking to a 6 digit PIN on my phone and Windows Hello on my Surface.

Biometrics are fundamentally flawed

But there's a big business in making them seem okay: governments love them because they add to the security theatre while allowing them to fire expensive meatware, which is easier to trick but harder to deceive.

As the Veneer of Democracy Starts to Fade…

phew

So glad to hear someone else has cracked this and I can stop poking myself in the eye with gummy bears to make an imprint. It's been costing me a bomb in in optrex

Hardly a big deal

Unless the thief happens to have a picture of you in the proper light and knows this is how you unlock the phone then it's not going to help them. And theft is the biggest threat by far.

I think the biggest problem with phones & security is one of usability and defaults. Some phones have "smart lock" functionality but it's very finnicky to set up and separate from the screen lock stuff.

It needs to be redesigned and consolidated into a single screen that summarises what security is set, and the conditions that the rules apply. e.g. idle time, location, proximity to other devices. The easier it is to set up the security, the more likely people are to use it. The more people who have security enabled by default, the less reason thieves will have to steal phones.

Iris scans can be done properly

There are a few tests that can be done to distinguish a print from a real, live iris:

Fourier analysis of the image, if taken at sufficient resolution, will show frequencies corresponding to the raster of the printer. Simply check the Fourier power spectrum for such regular spikes. This does not work on old-fashioned analog photography and printing, as the grains in the emulsion are placed randomly.

The second test is to capture two images: one at a low illumination and one in brighter light. The pupil should contract, if it is a real, pupil attached in the usual way to a living brain. This is similar to proper fingerprint scanners which should incorporate IR Doppler to detect flowing blood under the skin.

In case of high security applications, these tests must be done, and also make stealing someone's eyes useless. Infra-red imaging is essential to get the iris patterns clearly. In smartphones they probably did some cost cutting, resulting in poor security.

Other Options

My phone is setup for Border Control.

Only PAYG, so if stolen, no big bill.

Four years old, and not an Apple, so not a huge target

Only used for note taking, photos, FM Radio, SMS and phone calls. Nothing important kept on it.

No PIN or lock, to allow instant calls.

I appreciate it's a special use case ^_^ and not much help for most people. I only take my real laptop to known "secure" places, otherwise I take a semi-disposable small netbook (Linux Mint + LXDE).

RFID ??

I am tired of taking the cat to the ATM.

Really, this whole nonsense is beyond belief.

Penis recognition should do it.

Although it could get problematical at the ATM.

Girls could use tonsil recognition, as they do most things with their mouths open.

Simple.

:-)

Does this mean...

Tom Cruise swapped his eyes for nothing in Minority Report?

Based on modern crime detection methods and device security if that movie would be awful if the tech involved was real.

He'd be kidnapping a server while escaping in a Tesla over a very short distance stuck in traffic on the M1 while fumbling around with printouts of eyeballs stuck to practical joke glasses frames. Naff.

What happened to blinking?

My old HTC Desire (or my Galaxy S3, I forget which) back in the day had facial recognition to unlock it as an option. An additional option required you to blink on demand to prove that you were not a static cutout.

I'm surprised something like this isn't implemented in addition to the iris check. Still not secure, but it prevents just a photo getting you in and should be trivial to (re)implement.

"selfie flash" feature as mentioned somewhere above to incite iris contraction would also be a good feature to 'prove' that it is a real eyeball, somewhat.

You can't fool Windows 10 with a supported web camera. Windows 10 [with camera] will detect for heat presence.

infrared filter switched off...

... how? It's a physical thing, a piece in the light path. You can't "switch it off". You can try removing it:

https://www.ifixit.com/Answers/View/144899/Can+IR-blocking+filter+be+removed

Another demonstration of "unique" being different to "secret"

Authentication by biometrics comes with poorer security than PIN/password-only authentication. This video explains how biomerics makes a backdoor to password-protected information.

https://youtu.be/5e2oHZccMe4

Also there is an interesting discussion about this issue on Payments Journal

http://www.paymentsjournal.com/Content/Blogs/Industry_Blog/35382/