The Samsung Galaxy S8’s facial sensor can be fooled with a photograph

When Samsung announced the Galaxy S8 this week, it talked up the flagship’s facial recognition feature — if you choose, you can dispense with a password and use your face to unlock your phone. But initial reports suggest that might not be the most secure alternative. In a video published by iDeviceHelp on Thursday, the Galaxy S8’s facial recognition appears to be fooled by a selfie on another S8.

It’s a weakness Samsung tacitly admitted earlier this week when it clarified that facial recognition can’t be used for Samsung Pay.

“The phones can be unlocked by the face of a sleeping person or even just a photo,” an industry watcher told the Korea Herald. “For now, the facial recognition technology is only intended for fun. It should not be considered as a foolproof security measure.”

The Galaxy S8’s facial recognition may not be better than its forebears, but it’s no worse.

In 2011, Google’s Ice Cream Sandwich Android operating system shipped with facial recognition that could be fooled with a photo. An updated version of the feature, which debuted in Android Jelly Bean, added a “Liveness check” that required users to blink after the initial facial scan. But it, too, was easily circumvented — by pics from Facebook and a photo editing program.

More recently, University of North Carolina researchers demonstrated how similar “Liveness checks” can be fooled by realistic, textured 3D facial models with photos animated by virtual reality systems. Using the 3D models, they were able to fool four out of five security systems 55 percent to 85 percent of the time.

Despite the fact that facial recognition technologies remain relatively easy to fool, they’re seen as something of a biometric holy grail. Facebook’s experimental system can recognize a face without seeing it and Microsoft is developing technology that can decipher emotions from the facial expressions of people who attend political rallies.

One explanation is that one of the most popular alternatives — fingerprints — aren’t much more secure.

Members of Germany’s Chaos Computer Club were able to replicate a fingerprint using high-resolution images of a hand, specialized computer software, a standard printer, glue, and plaster. Researchers at Michigan State University were able to use an inkjet printer to print a 2D image of a fingerprint that fooled most sensors. And police in Michigan used a 3D print of a murder victim’s finger to unlock an iPhone.

If surveys are any indication, it might all be moot. In a recent survey of 1,119 people, a majority — 58 percent — preferred to log into online services with a password versus biometric methods like fingerprints (10 percent) and facial recognition (two percent).