Our expectations of what it takes to get into our phones have been set too high.
The Galaxy S8‘s iris scanning is quicker and more accurate than when it debuted (for a short period) on the Galaxy Note 7, saving us from using the fingerprint sensor every time we want to unlock the phone. But it doesn’t guarantee your phone can’t be accessed by an unwanted person, as the Chaos Computer Club has easily demonstrated.
The CCC shows how it could simply take a photo of a person’s eye — with up to a 200 mm lens from 15 feet away, it says — and then print it out on typical paper, cover the paper with a wet contact lens to mimic an eye and instantly gain access to the phone. With a sufficient amount of time and complete access to the phone, you could theoretically unlock any Galaxy S8 with iris scanning enabled.
Despite Samsung’s claims that iris scanning is nearly on-par with a fingerprint sensor’s security and far stronger than face recognition, this shouldn’t come as any surprise. But in the CCC’s own article on the iris scanner bypass, it links to its defeating of Apple’s TouchID fingerprint sensor years ago. It has been demonstrated numerous times that other fingerprint sensors can be bypassed with a certain level of trickery and time — so how worried should you be?
Each option you have for unlocking your phone comes with trade-offs and potential risks. For most of us out there who simply want to keep our private information locked up should our phone be lost or stolen, a fingerprint sensor or iris scanner is sufficient. It’s easy enough to use that we’ll actually keep it enabled 100% of the time, while being difficult enough to deter the most-common threats to the physical security of the device.
The average criminal looking to steal a phone isn’t printing a high-resolution image of your eye.
The average criminal or sleuth looking to steal a phone and unlock it for a quick factory reset and sale isn’t taking a high-resolution photo of our eyes and printing it out. Not only would they be far better off looking over your shoulder in public to see what your backup PIN or pattern is instead, they’d just as easily throw your stolen phone in the trash when they realize it couldn’t be unlocked and quickly resold. But the most important thing at that point is that all of your data is safe, because they weren’t going to be willing to go through the process to get a scan of your irises or fingers to unlock it.
Yes, your Galaxy S8’s iris scanner can be defeated in the right circumstances — those circumstances include a targeted attack that requires time and complete physical access to the phone. But that doesn’t mean you need to move away from iris scanning or be unnecessarily worried about the security of your data when using it.
Only roughly two-thirds of modern Android phones are using lock screen security at all — we need to get that number a lot closer to 100 percent before we start nitpicking about which security form we’re using and how easy it is to defeat.