Best daily deals

Affiliate links on Android Authority may earn us a commission. Learn more.

Friendly reminder: Biometrics are not the best way to secure your phone

Fingerprints and other biometric authentication methods are flawed. Let's not forget it.
By
October 19, 2019
ZTE Axon 10 Pro in-display fingerprint sensor

Samsung has spent millions on making its phones more secure, and on making sure customers know about it. You’d think all that money would be enough to fend off the threat of a $2 silicone case. Apparently not.

$2 phone case vs tech mega-corporation

If there’s ever an appropriate time to call a gigantic tech conglomerate “red faced,” it’s probably now. In a terse statement released yesterday, Samsung acknowledged some clear cases and screen protectors can be used to bypass the fingerprint sensors on the Galaxy S10, Galaxy 10 Plus, Galaxy S10 5G, Galaxy Note 10, and Galaxy Note 10 Plus.

You don’t need a 3D printer, super-high-res camera, latex molds, or any cloak-and-dagger nonsense. A dirt-cheap phone case is all you need to unlock someone’s Samsung flagship.

이슈가 되고 있는 갤럭시 S10, 노트10 기종 실리콘 케이스 지문인식 뚫리는 현상 테스트해봤습니다….
갤럭시 10시리즈 사용자분들 당장 지문잠금해제 푸세요 pic.twitter.com/tbmzErrmkP
— StaLight (@Sta_Light_) October 16, 2019

It’s hard to excuse this massive breach of trust, and it’s even harder to understand why Samsung has so far failed to apologize to customers. Yet, this embarrassing mishap isn’t that surprising in the scheme of things.

Biometrics make for poor security anyway

The truth is, fingerprints and other biometric authentication methods are flawed. You shouldn’t rely on them if you actually care about mobile security. PINs and passwords are much more secure — if less convenient — methods of authentication.

There are several reasons why an old-fashioned password is preferable to fingerprint readers, facial scanners, or retina/iris scanners.

For one, it’s easier to force someone to unlock their device with their fingerprint or face than it typically is to force them to reveal a password or PIN. It’s much easier to trick people into unlocking their device too — sometimes all it takes is to place the device in front of them while they’re sleeping (just ask Google Pixel 4 reviewers).

An old-school password is preferable to fingerprint readers, facial scanners, or retina/iris scanners

There are legal implications as well. In some jurisdictions, you can’t be compelled to provide a password due to protections against self-incrimination, but you can be compelled to touch a sensor or look at your phone, just like you can be forced to provide a DNA swab. Now, the number of people who’ll ever run into this issue is relatively small, but there are legitimate reasons you may want to avoid giving authorities access to your device.

Then there’s the problem of the many ways sensors and scanners can be “hacked.” Sometimes it requires expensive equipment and a determined attacker. In other cases, a picture of the owner or a simple silicone case will do the trick.

You could argue that fingerprint and facial scanners are good enough for 99% of users. Granted, most people will never have to worry about authorities rummaging through their messages or any shady entities stealing their fingerprints from their Facebook profile. It’s also true that biometric sensors have improved security for millions of users who, otherwise, could not be bothered with typing a PIN every time they unlock their phones.

How do you update your fingerprints or your retina?

But the stakes are getting higher all the time. We now use our faces and fingerprints to unlock our bank accounts, authorize payments in stores, and gain access to password lockers like LastPass. For now, that means your digital identity. In a few years, smartphones will be your identity, both online and in real life.

Finally, passwords have another massive advantage over biometric authentication methods: they’re disposable. You can always change your PIN or password, but what happens when your immovable physical traits leak? How do you update your fingerprints or your retina?

What you can do

If you’re worried about smartphone security, there are a few simple things you can do to protect yourself:

  • Pick a secure authentication method (PIN or password), but don’t be lazy: the more characters you use, the safer.
  • Avoid pattern locks. They’re easier to spy on, and less secure than a good PIN or password.
  • Disable features like Smart Lock that keep the device unlocked when it’s in certain areas or when a Bluetooth device is connected.
  • Understand the difference between the various face unlock methods — the ones that use laser or infrared to scan your face are more secure than those that rely on the front-facing camera.
  • Enable Lockdown mode, available on Android Pie and later. This gives you the option to quickly disable all unlocking methods except the PIN or password.
  • Familiarize yourself with your specific phone’s security features. Some devices offer options like the ability to hide certain apps or content behind a specific fingerprint.
  • Buy devices from reputable manufacturers that are more likely to receive regular security and system updates.
  • In general, practice basic security hygiene. The chances of getting hacked remotely are much higher than of someone getting physical access to your device.

What is your preferred phone locking method?

What authentication method do you primarily use on your phone?

10868 votes