it really is frustrating. holding out optimism for future face rec that works on devices people actually have. been bangin on zoomlogin for a few days and so far so good.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Facial Recognition Feature on Galaxy S8 Bypassed Using Just a Photo
- Thread starter MacRumors
- Start date
- Sort by reaction score
I don't have a nipple. It was burned off after my Note 7 blew up then caught fire and burned off my two little nipples
Last edited:
It's 2017....that's all I can say. Feel free to google something from this year as evidence . I'm not the one trying to prove a point.
I have not educated myself how Android and OEMs secure the fingerprint or any other security feature on the phone hardware. I know iPhone has the 'Secure Enclave', which is walled from the rest of the hardware. How do Android OEMs deal with security, and what in Android OS keeps it secure regardless of the hardware?
So Samsung put the fingerprint scanner on the back so that people will use more of unsecured facial recognition feature. Makes sense to me.
[doublepost=1491234053][/doublepost]
B.S article. You cannot bypass Touch ID by just using cat's paw. Obviously they were previously registered in Touch ID first. Article made in sound like Touch ID was compromised without registering.
[doublepost=1491234053][/doublepost]
B.S article. You cannot bypass Touch ID by just using cat's paw. Obviously they were previously registered in Touch ID first. Article made in sound like Touch ID was compromised without registering.
What's going on is not big news for Samsung or Apple, but is important in understanding "security" is beginning to mean. Samsung is using face *recognition*. That is not authentication. It is a very low level of security and is being used here simply for convenience. Whether you choose fingerprint, face, pattern or retina is up to the user. The first three - and passwords - are clearly not that secure.
But, actual biometric face *authentication* that determines "liveness" is what's next; meaning the person's image (face, but also retina or fingerprint) is the right one, but also they are actually alive, critical to providing what we all think of as real security. One product out there (zoomlogin.com) that looks like it's focused on liveness for security for mobile authentication and does actually verify liveness.
Physical hacks don't happen that often, and that "hacker" probably would know you. Most single account hacks come from from DB hacks where the bad guys scoop up vast amounts of user info and go for it. This liveness approach and adherence to some new security benchmarks (see FIDO) will give us what we want, instead of yet another convenience.
[doublepost=1491239508][/doublepost]
See FIDO certification for a look at how this is handled on Android devices. But, the problem with images - of a face, iris or fingerprint - is they can be spoofed. All of them. What's missing is liveness: is the authorized user actually at the controls at the time of the entry request. That makes all the difference.
But, actual biometric face *authentication* that determines "liveness" is what's next; meaning the person's image (face, but also retina or fingerprint) is the right one, but also they are actually alive, critical to providing what we all think of as real security. One product out there (zoomlogin.com) that looks like it's focused on liveness for security for mobile authentication and does actually verify liveness.
Physical hacks don't happen that often, and that "hacker" probably would know you. Most single account hacks come from from DB hacks where the bad guys scoop up vast amounts of user info and go for it. This liveness approach and adherence to some new security benchmarks (see FIDO) will give us what we want, instead of yet another convenience.
[doublepost=1491239508][/doublepost]
See FIDO certification for a look at how this is handled on Android devices. But, the problem with images - of a face, iris or fingerprint - is they can be spoofed. All of them. What's missing is liveness: is the authorized user actually at the controls at the time of the entry request. That makes all the difference.
It's exactly the same as in the S8 the guy registered his face before and then used his picture and the phone recognized the face with the picture.
You actually ARE the one w/ a point to prove!
Video evidence exists in 2017 of an S8 face unlock getting bypassed by photo! We all believe it.
YOU are the one that claims it must be a fake; yet for reasons perhaps you'd like to explain... neither Samsung, nor Google have stepped forward & denounced this, as they CLEARLY would if it were a fake.
The exploit goes back to 2011... there is a flurry of videos around then of it not working.
Then, for the most part, people lost interest around 2014. However, this hack did NOT stop working in 2014! Around that time Android Face Unlock was rebranded Trusted Face; feel free to Google up that along with "bypassed with photo" or the like, to see that it was still broken at that time!
Now, obviously- the web moves on, people aren't eagerly video taping & posting the exact same exploit videos.
However, there is a good Wired article from August of 2016 (I hope that's recent enough for you!! Or do you feel like Trusted Face was secretly patched since then, completely sans fanfare, announcement, or even minor blurb from Google about this hypothetical accomplishment?) clearly outlining how it was bypassed with Facebook photos!
Sooooo.... the ball is actually in YOUR court!
If Face Unlock/Trusted Face CANNOT be broken w/ a photo.... please post a comment from a Google engineer stating that. Surely there must be at least a SINGLE brag somewhere on the nets if what you're claiming is true, yeah?
I won't hold my breath.
Because it OBVIOUSLY is still able to be bypassed with a photo & for whatever reason: you're being weird & stubborn and refusing to believe that some technologies are secure, while others aren't.
This is one that is NOT secure.
So far, it looks like only Microsoft has built a solution leveraging additional hardware (such as dual cameras) that go far toward securing this piece of tech.
Stay tuned! I believe the 2017 iPhone will also have dual front cameras & be MUCH more secure in its version of Trusted Face.
Actually Tycho24,
you seem to be the one confused:
Samsung themselves outright say in their product release and brochure that Face Unlock is not a secure method of securing your device and it should only be used by those who aren't looking for enhanced security. Samsung even goes as far as to prevent you from using face unlock for the items that require real security, such as KNOX and Samsung Pay.
it seems like right now it's you on some vendetta to prove that Samsung is terrible for including this feature, even though they themsleves have outright said this is NOT a real security method.
you seem to be the one confused:
Samsung themselves outright say in their product release and brochure that Face Unlock is not a secure method of securing your device and it should only be used by those who aren't looking for enhanced security. Samsung even goes as far as to prevent you from using face unlock for the items that require real security, such as KNOX and Samsung Pay.
it seems like right now it's you on some vendetta to prove that Samsung is terrible for including this feature, even though they themsleves have outright said this is NOT a real security method.
Um. That's not 'bypassed'. No one can take my phone and unlock it with their nipple.
What's going on with the S8 is entirely different. If I've ever taken a picture of your face, or can find a pic of your face via Facebook, google, etc, then I can take your phone and unlock it with that pic? That's ridiculously, hilariously weak security.
This is different. Anyone can unlock S8 with facial recognition if someone has your photos. Unless people have your nipple how would you bypass Touch ID? Do you understand the logic?
[doublepost=1491246603][/doublepost]
Finally someone gets the flaw with facial recognition.
Oh ok -- then if they don't want people to "use" this feature for security then I guess I have two very kinda important questions for you.
1) Then why o why move the fingerprint scanner on the back bc you and me both know that alone will make people use the facial feature. Duh!
2) Then you must agree that SameSong only featured the facial recognition feature just as a cheap gimmick to con the public believing they beat Apple to the punch, right? Right.
if this catches fire in the media, and Apple does in earnest release a facial recognition feature included in one or all of the next iPhones, I think YOU and I can clearly say that the Touch ID will NOT be moved to the back of the iPhone L O L.
Perception is everything my friend. 99.9% of the public will PERCEIVE the facial feature of the SameSong phone as a security feature. That's just normal human ignorance. Frankly, I feel for the numbnuts that will fall for this gimmick and be stuck with turning their phones over and over and over again?
Dude -- SAY IT -- the fingerprint scan on the BACK of the SameSong phone is LAME,
Period.
Don't use "Duh" to think you've proven a point that you have not:
1) The move of fingerprint sensor to the back has two reasons. 1, Samsung was attempting to put it under the glass of the front, but apparently were unable to do so under the constraints to release the device according to schedule, this forced them to change it's location, since the front of the phone no longer has space for it. It was moved to the back because this is the most logical place for it if you cannot have it on the front. Though, The location is terrible.
And if it was an attempt by Samsung to convince users to use other biometrics, it would be the Iris scanner that they wish you to use. Which is far more robust than fingerprint sensor. Now, so you don't get confused, the Iris sensor is NOT facial recognition and uses IR based camera system for prioer biometrics. Samsung wants you using THIS technology. The Face unlock feature is a convenience feature only, and has been in many versions of Android since 4.0. And each implementation, even by android has said the same thing. Face Unlock is a convenience feature only intended for non-secure unlocking. At no point is Samsung attempting to tell you that Face Unlock is secure.
2) First, the fact you're using adhominem name calling "Samesung" indicates you've got your own agenda here and aren't actually coming at this from a logical and unbiased viewpoint. Just because you call something a "gimmick" doesn't mean its' not a useful feature to other people. The Samsung face unlock is also entirely optional. Nobody has to use it. So what is the harm at including optional features? don't want to use them? don't. No harm. Want ot use it? Great it's there for you to use.
I don't disagree with you perception. However, part of the problem with eprception is you (and others repeating the same thing you're currently repeatin). Samsung has outright said this is not a security feature, Yet you, and many others like Tycho24, have repeated over and over again how crappy a security feature it is. And i'm sure you haven't had problems telling others how bad samsung's security is. despite the fact that this is NOT a security feature and not advertised as one. This is what's called "FUD". Fear, Uncertainty and Doubt. And you're spreading it based on misinformation.
And I won't agree. Back fingerprint sensors aren't "Lame'. I know which I prefer (Front), but a well placed back sensor does make a lot of sense and is very usable. Although, the location of Samsung's fingerprint sensor is pretty bad.
Samsung put the fingerprint sensor on the back because they couldn't put it on the front with the bezeless display. They haven't yet been able to perfect the fingerprint sensor within the display.
https://blog.elcomsoft.com/2016/06/fingerprint-unlock-security-ios-vs-google-android-part-ii/
That's a good look at the differences; thorough, but still in basically layman terms...
The table is particularly nice.
Apparently there wasn't any other place for it as the rest of the space is taken up with the other components of the phone
I apologize that was your mistaken impression!
YOU actually seem to have a firm grasp on the situation of Samsung's insecure face unlock situation & their awareness of it. I applaud you for it!
I get that it is in NO WAY Samsung's "fault" this isn't as secure as fingerprints; it's my understanding that this is built into Android by Google, (who ALSO are not misrepresenting its security it any way!) & has quite little to do w/ Samsung, whatsoever.
To be EXTREMELY clear:
What I am railing against is people on this board essentially throwing childish fits and saying the equivalent of "Nuh uh, nuh uh, nuh uh! Is not insecure! Is not, is not, is not! That's a scam. That's a fake. That poster was attention seeking. Samsung was running demo software that made it SEEM insecure; but it's actually secure!", etc.
I am NOT taking Samsung to task here.
At most, I think it's unfortunate that the two much more secure unlock features (fingerprint & iris) have issues of their own, but only one of those is Samsung's "fault" (due to design decision). That would be the awkward placement of the fingerprint scanner. Other than that, I believe iris scanning is just a bit slow, currently... NOTHING to do w/ Samsung; and, (as you have said... & I have said; but MANY here unfathomably disagree with) Face Unlock is barely secure on Android as a whole; not only on a Samsung phone.
Would you agree with me then that it's preposterous to partake in all these conspiracy theories of "is it demo software or not??"", etc?
It sounds like you are with me 100% in wanting people to understand: "Guys... that's just not secure! Say what you want... it just isn't yet. There are myriad other solutions (i.e. fingerprint or iris scanning); while they may not be super handy on the S8; they're there.".
yes, Ultimately, this thread is so funny from both groups of "fans" who are trying to control the narrative.
the only thing that matters here:
Samsung / Android have included a feature to unlock your phone with your face.
Samsung and Android both outright say this is NOT a security method, But a usability feature for fast unlocking in an insecure way. (They state this right in the product description and when you turn on the feature)
The important thing, no matter what almost anyone in this thread is arguing. no matter what goal post they think they're shooting for.
NO SIMPLE PHOTOGRAPH BASED FACE UNLOCK IS SECURE. no matter if it's Apple, Android, Samsung or 3rd party. Any "Face unlocK" that does not use advanced biometrics scanning, such as fingerprint, or IR based, is insecure.
I've recently tried 3rd party face unlock software that works on both Android and iOS. And both Android and iOS cameras were more than capable of being fooled by a photo.
I'm sticking to my touchid , though only one of us is on a crusade.
If i were ever to get an S8 I'd turn the feature off, really not an issue.
I'm aware it's been tricked before as it's not the first I've heard of it. I was referring to this model specifically. Regardless, it doesn't look good.
Ha ha, you are kidding right
MacRumors do publish thousands of things that are not exactly true. It is a rumor site
But in this case it would have been different if it was done as an April Fools joke. It would have been a complete fabrication.
Yeah, I had absolute brain trauma when I read that post. Thanks for replying in a much kinder way than my knee jerk reaction was tempting me to be in response.
[doublepost=1491272748][/doublepost]
Forgive me, but there is EVERY reason for the two to be "mutually exclusive". If technology is being offered to you under the guise of security, or some kind of personal "need", when in fact it has been created to monitor your every move - and they got you to PAY for that... can you see the irony?