Why Samsung’s Note 8 Face Lock May Not Be So Secure
Can the latest Samsung Galaxy Note 8 phone’s facial recognition unlocking feature be fooled by a Facebook profile photo?
That’s the seemingly unhappy result of tests done by web developer Mel Tajon and reported by Business Insider on Tuesday. We’ve asked Samsung for comment about the reported problem, which could be related to a test version of the software on the Note 8 that Tajon used. Samsung’s own software does include a disclaimer that facial recognition is “less secure that pattern, PIN or password” and that the phone could be unlocked by “someone or something” that looks like the owner.
But the trade-off between convenience and security is getting more acute on some of the latest smartphones as manufacturers seek to save room on smartphones that had been devoted to fingerprint sensors. In addition to the Note 8, Apple is widely rumored to be adding the ability to use facial recognition to unlock the next iPhone as it removes the physical home button that included the fingerprint sensor.
Tajon’s hardly the first security spelunker to fool a biometric lock. Last March, some people were able to unlock a Galaxy S8 with a photo. And researchers from New York University and Michigan State University reported in April that they had found various ways to get around the fingerprint sensors like those used on smartphones. Tech web site TheVerge even showed how a hacker could use Play-Doh to fool an Apple (AAPL) iPhone TouchID sensor. And if you go back to 2011, Google (GOOGL) added a facial unlock feature to its Android Ice Cream mobile operating system that was fooled pretty easily.
Get Data Sheet, Fortune’s technology newsletter.
The only way to prevent such hacks is to rely on a lengthy and complicated PIN code (though even there, there are workarounds if the PIN isn’t complex enough).
That’s not a very convenient solution, especially when people look at their phones dozens of times daily. And the facial recognition software will keep out casual snoopers or anyone who doesn’t know the phone owner’s name or appearance. So it may be a trade-off most people are willing to live with.