I think it’s safe to say that many of us would have very much liked Samsung’s sexy new iris recognition feature on their new Galaxy S8 smart phone to be more than an over-used movie gimmick. Sadly, like its previously defeated brethren fingerprint and face recognition protections, it too has proven to be fallible, and not in a gory, Hollywood-esque fashion, but in a mundane, easy to implement way. The German security team Chaos Computer Club has published its methodology demonstrating the bypass hack, which involves the use of a camera with night-vision capabilities and a contact lens. Yes, you read that right. This $750 smart phone can be defeated by taking a picture of the owner’s face, printing out a properly sized picture of the eyes, and then placing a contact lens over the iris in the picture.
What this means for you
Unfortunately, we still don’t have the magic bullet solution for securing our mobile devices. And by “magic” I mean a method that is both easy to use as well as highly secure. As I’m sure you’ve personally experienced, “convenience” and “strength” are on opposite ends of the security teeter-totter. Tip too far in one direction and the opposite suffers. Currently the most secure method is multi-factor authentication, which requires at least 2 different forms of identification to unlock an account or device, and on the opposite, you have methods like Android’s Smart Lock which can keep your phone unlocked based upon its proximity to known devices like your home WiFi or your car’s Bluetooth connection. The safety implications of the latter are fairly obvious, but can be useful when considering the various scenarios and inherent safety risks. Using Smart Lock to keep your phone unlocked while you are driving is fairly secure, and actually is a form of multi-factor authentication: it requires the presence of the phone and your running car. Having both stolen at the same time could happen, but unless you are someone who tends to forget their phone and keys in the car, highly unlikely. When deciding on how inconvenienced you are willing to be, consider what sort of data and services a thief might have access to on your unlocked phone. A few more key presses is still more secure than bio-metrics at the moment.