Unlocking the Galaxy S9 might be faster -- but that doesn't mean it's more secure.
Samsung's newest smartphones, the Galaxy S9 and S9 Plus, include a new feature the company calls Intelligent Scan. The technology combines Samsung's secure iris scanner with its less-secure facial recognition unlock technology.
When unlocking your phone, it first will scan your face. If that fails to unlock the phone, the device then will check your irises. If both fail, Intelligent Scan will try to authenticate your identity using a combination of the two. And it all happens almost instantaneously.
"Intelligent Scan adapts to your needs, combining the intelligence of iris scanning and face recognition to make it even easier for you to unlock your phone in more situations," Justin Denison, Samsung's senior vice president of product marketing, said Sunday at Samsung's Unpacked event at the Mobile World Congress show in Barcelona.
The problem is that Samsung's facial recognition technology just isn't that secure.
Samsung's introduction of a faster but less secure way of unlocking your phone underscores the notion that while we say we value privacy and protection, we probably covet convenience a lot more. Biometric identifiers have been touted as a secure option -- hackers can't steal your code, and you don't have to remember anything -- but just how secure one option is over another varies.
Samsung's facial recognition system uses a regular camera to create a 2D map of your face, contrasted with Apple's Face ID, which creates a complex 3D scan of your facial pattern. People were able to fool Samsung's technology on last year's Galaxy S8 by using photos, and Samsung itself warned the technology could "only be used for opening your Galaxy S8 and currently [could not] be used to authenticate access to Samsung Pay or Secure Folder."
That doesn't change with the Galaxy S9.
Fooling Intelligent Scan may be as easy as waving a photo at it (though we'll have to wait for someone to actually try it to know for sure).
"They want to provide some level of security but also make it easy and effective for you to get into the phone," said Andrew Blaich, a researcher with mobile security company Lookout. "This is probably trying to play catchup with how smooth the user experience is for the iPhone."
Apple's Face ID vs. Samsung's facial recognition
Samsung came out with its facial recognition unlocking option before Apple's Face ID appeared on the iPhone X, but the South Korean company's technology isn't as secure.
"This is an area where Samsung is clearly behind Apple," Global Data analyst Avi Greengart said. "Apple invested an enormous amount of money, time and effort into Face ID. Even though Samsung had a version of Face ID first, they're playing catchup."
Apple's Face ID doesn't focus on any one part of your face. Instead, the technology creates a 3D scan using an infrared camera, a depth sensor and a dot projector to map out 30,000 invisible points on your face. It creates an artificial 3D image with the scan, which means it can't be tricked with a 2D image like a printed photo.
Apple also worked with Hollywood mask makers to defend against fake faces, boasting that it'd be a one-in-a-million chance that Face ID gets tricked by a replica.
Samsung's face recognition technology, though, can be fooled by static images -- at least in the older devices already on the market.
Jan Krissler, a security researcher known as "Starbug" with the hacking group Computer Chaos Club, exposed the Galaxy S8's weaknesses last May when he fooled Iris Scan with a photo and contact lens. He said his group's not interested in trying to crack Intelligent Scan if there's nothing new.
"There is no fun in hacking just a new release of the same system," Krissler said in an email.
Intelligent improvements
Samsung describes Intelligent Scan as "a deep learning-based verification solution that utilizes the collective strength of the Galaxy S9's iris scanning and facial recognition technologies to allow users to unlock their device and access protected content with a simple glance." It analyzes your face's visible features and the surrounding lighting conditions and decides which method works better to unlock your phone.
For phone unlocking, it first scans your face and then moves on to the iris if authentication initially fails. If conditions aren't great for using a face scan or iris alone, Intelligent Scan then combines them to unlock your device.
Samsung said that ensures "biometric authentication occurs successfully in virtually any environment." It can recognize users even when clothing or accessories are obstructing part of the face, and it works in conditions that are normally difficult, such as low light or bright outdoors settings.
Just as fingerprint sensors have gotten better over time, the company has made improvements to the RGB and infrared camera technologies for the iris and facial scans in the Galaxy S9 and S9 Plus, resulting in a higher success rate despite difficult conditions.
The Galaxy says the S9's iris technology also "has been enhanced to identify unique iris patterns from greater distances," and Samsung also improved the deep-learning algorithms in the S9 to better detect spoofing attempts and prevent unauthorized device access.
While facial recognition isn't that secure, Samsung said it offers consumers two other biometric authentication options (the front-facing iris scanner and the fingerprint reader on the back), as well as passcodes. And it noted that all biometrics information is stored on the device and is protected with Samsung's Knox security technology.
The company plans to add Intelligent Scan support into "a wide range of applications," starting with its Samsung Pass technology that lets you log into websites using biometrics instead of entering passwords.
While Intelligent Scan combines both iris and facial recognition, it's only the former that Samsung considers secure enough for its most important apps. With apps like Samsung Pass, you'll have to authenticate with either the iris or a combination of iris and face, Samsung said. Your face alone isn't going to pass muster.
And Intelligent Scan won't work at all with more important features like payments. To use Samsung Pay on the Galaxy S9 or S9 Plus, you'll have to enter a PIN or scan your fingerprint or iris.
Ultimately, though, Intelligent Scan's not here to make the Galaxy S9's biometrics more secure -- it's to make things easier.
"Unlocking my phone, if they can combine multiple techniques to make things faster, then that's great news," said Richard Hayton, chief technology officer of mobile security company Trustonic, which has worked with Samsung to enable security features like biometrics for apps including Samsung Pay. "But that doesn't mean that I have the same feelings about secure payments."
Galaxy S9 and S9 Plus: Hands-on with Samsung's iPhone X fighters.
MWC 2018: All of CNET's coverage from the biggest phone show of the year.