The Galaxy S8’s facial scanner can, unsurprisingly, be tricked with a photo

Photo by Amelia Holowaty Krales / The Verge

Just days after Samsung unveiled the Galaxy S8’s new facial-scanning feature, someone has already successfully spoofed it. Bloggers at Marcianophone secured a S8 with their face and then tricked the phone with a selfie that was saved on another device. The S8 eventually unlocked, though it took a few seconds. Either way, you might not want to use face scanning as your primary form of phone security. Samsung has already noted that facial scanning isn’t the most secure form of authentication. Using your fingerprint, iris, or a PIN is preferable. With that in mind, it’s possible that Samsung is still working on the feature. The phones at its New York City event weren’t final products, so the company could theoretically tighten up security before shipping to the public.

iDeviceHelp put a video together showing off the spoof:


Seems like this will create a false sense of security. Hopefully they remind users of this on configuration.

@my only name change: what false sense of security? Your face is very public — anybody can take pic of your face. Seems like this was designed to be more like a swipe-to-open than a lockdoor.

It is definitely a false sense of security, as it is provided as a security feature but is not very secure.

They’re introducing facial recognition as the next best thing because it is easy to fool. They don’t have to announce they’re less secure and if you decide to use it law enforcement / government agencies won’t have to deal with pins/passwords. Easy access.

I wonder if that’s why Google removed it from Android. Even adding the blink feature didn’t work too well.

Removed? I still have it on 7.1.2 on my 5X under smart lock.

That’s why I still don’t take Android (and Samsung consequently) seriously. There’s just no tightly secured biometric system in place like there is in iOS.

You realize that you can just not use the face unlock right? The fingerprint sensor is secured just as it would be on iOS… Not sure what your point is.

Android imprint is secure. Samsung taking a picture of your face is not android’s problem…

Seems you need to read up on Android security, or just look through Security settings on any Android phone. Face unlock is a convenience feature, was never meant to be a security measure.

Did you mean to post this comment two years ago?

Google was certainly late to the table, but this has long been corrected.

I’ve had Android and iPhones. Every Android I’ve owned has noted how secure or unsecure each unlock method is. I’m assuming for Face Unlock it will warn the user that this is more of a convenience feature than security.

Fingerprint and Iris scan.

I actually hate iOS’ insistence that you have to use your fingerprint or a six digit pin every goddamn time. Especially on my iPad where I literally just use it to browse the web and it never leaves my house. I don’t need Fort Knox level biometrics but Apple insists that you can’t just turn off the pin or fingerprint now. At least other manufacturers give you the option of disabling security for low security situations.

That’s not true. At all. You can disable the passcode on iOS, and if you do, you don’t have to have a fingerprint to unlock instead.

Your face is a username, not a password.

I think just about any part of your body, fingers included should be treated as nothing more than a username. I think a lot of people miss that. A pin is still more secure than a finger print.

It’s all one factor authentication. A real password is something you need to know, not something you have on you. Even if you made touch ID look for a pulse that could still be faked.

I’m surprised Apple, Google, Samsung hasn’t implemented a fingerprint AND pin yet for real security.

A password is one factor as well. Also, as has been proven since the beginning of passwords, can be guessed. Not to mention anyone off the street can just glance over your shoulder while you’re entering it and have it.

Biometric authentication is significantly harder to replicate, even just a fingerprint alone. You can’t watch. You can’t brute force, you can’t go off your knowledge of the person. Adding a heart signature to the mix makes it too time consuming/difficult for 99.9% of the people who’d want to get in. You’d have to be a very important person for anyone to even bother.

Just because technically possible to be spoofed, doesn’t mean it’s feasible.

Password vs fingerprint is really based on what you are trying to protect yourself against.
If somebody is robbing you and trying to steal your phone, the fingerprint is useless. They can force your hand on the sensor. If you are trying to protect against somebody using the phone you forgot at the restaurant, the fingerprint has the upper hand. It can’t be guessed. People around you can’t see you typing it in.

Your face is a username, not a password.

This might make sense if the phone supported multiple users, and when it recognized a face, it then asked for a password or fingerprint… but that isn’t how this feature works. It is a key that unlocks the phone – which makes it a password, not a username.

His point is: it’s not a real password. It’s visible to anybody, people can make copy of it (pictures) and use it. It’s not a password. It’s as strong a password as your username is. It’s not. It’s public.

Exactly… which is why it’s such a stupid feature. It’s literally no more secure, or convenient, then having no security on your phone at all… which is why I can’t understand why Samsung is promoting this feature as heavily as they are. It was a stupid feature in 2011, and it’s even stupider now, considering how the privacy stakes have been raised since then.

Well it’s more secure that nothing. Like if you find the phone in the street you can’t unlock it if you don’t know the person for instance.

And you literally have no idea what literally means.

Um, yeah… I literally do.

View All Comments
Back to top ↑