Strong bio-metric security on our mobile devices is something many of us take for granted. But it appears facial recognition security on some phones is not as secure as others. Including on Samsung's new flagship, the Galaxy S10.
A recent study of over 100 phones with facial recognition revealed many are easily fooled by simple workarounds.
Some LG, Sony, Huawei and cheaper Samsung devices were tricked by holding up a photo in front of the camera to unlock. However, other devices were not fooled, including the iPhone and last year's Samsung Galaxy S9. See the full list of tested phones here.
Despite the Galaxy S9 not being fooled in the test, we're seeing several reports saying the S10 is vulnerable to the photo trick.
Samsung Galaxy S10 facial recognition is vulnerable
The Samsung Galaxy S10 has been shown to have less-than-desirable facial recognition. It has been seen to fail by someone simply holding up an image of a person (see video).
While the facial recognition flaw may appear damning, Samsung has retained a fingerprint reader in its flagship Galaxy phone. Unlike the iPhone, which dropped the fingerprint reader when it changed to Face ID with the iPhone X.
Many Android phone-makers have typically included both facial recognition and fingerprint scanning.
Instead of the face unlock on the S10, websites like Android Central suggest using the in-screen fingerprint sensor. The sensor sits under the screen near the bottom of the screen, as seen in the image.
Apple Face ID appears more secure
Apple is broadly making privacy a core part of its products in the past 24 months. Face ID is a central part of its push.
Face ID and Touch ID data is stored in a dedicated area of the iPhone processor named the Secure Enclave. Apple explicitly says your Face ID or Touch data remains solely in the Secure Enclave. It does not leave the device, go in iCloud, nor is it accessible by Apple.
Apple says there is a 1-in-a-million chance that a random person can unlock an iPhone using Face ID. Face ID is disabled if it does not recognise the user within five attempts.
Compare this to a 1-in-50,000 chance of Touch ID being randomly compromised, or 1-in-10,000 chance of a 4-digit passcode being randomly compromised.
What should you do?
Awareness is the first step in better security for mobile, you're already working on this step.
The second, is researching the history of your phone model and finding if it may be vulnerable like the Galaxy S10. Then choosing a security method that is acceptable to you. If you're not satisfied with bio-metric security, passcodes can be highly secure. Like any password, length and character diversity will improve passcode strength, aim for 9+ characters with a mix of numbers and letters.
Finally, it is also useful to be aware of how to track, lock and erase your phone in the event it is lost or stolen. Most phone makers have a software option to remotely lock or erase your phone.
Remember, security is relative. Acceptable risk is determined by you and how much value you place on the data stored in your phone. Weigh up your priorities, consider if sensitive personal, financial or work information is stored on your phone, and choose the security method you think appropriate.
