Android Authority

Friendly reminder: Biometrics are not the best way to secure your phone

Samsung has spent millions on making its phones more secure, and on making sure customers know about it. You’d think all that money would be enough to fend off the threat of a $2 silicone case. Apparently not.

$2 phone case vs tech mega-corporation

If there’s ever an appropriate time to call a gigantic tech conglomerate “red faced,” it’s probably now. In a terse statement released yesterday, Samsung acknowledged some clear cases and screen protectors can be used to bypass the fingerprint sensors on the Galaxy S10, Galaxy 10 Plus, Galaxy S10 5G, Galaxy Note 10, and Galaxy Note 10 Plus.

You don’t need a 3D printer, super-high-res camera, latex molds, or any cloak-and-dagger nonsense. A dirt-cheap phone case is all you need to unlock someone’s Samsung flagship.

It’s hard to excuse this massive breach of trust, and it’s even harder to understand why Samsung has so far failed to apologize to customers. Yet, this embarrassing mishap isn’t that surprising in the scheme of things.

Biometrics make for poor security anyway

The truth is, fingerprints and other biometric authentication methods are flawed. You shouldn’t rely on them if you actually care about mobile security. PINs and passwords are much more secure — if less convenient — methods of authentication.

There are several reasons why an old-fashioned password is preferable to fingerprint readers, facial scanners, or retina/iris scanners.

For one, it’s easier to force someone to unlock their device with their fingerprint or face than it typically is to force them to reveal a password or PIN. It’s much easier to trick people into unlocking their device too — sometimes all it takes is to place the device in front of them while they’re sleeping (just ask Google Pixel 4 reviewers).

An old-school password is preferable to fingerprint readers, facial scanners, or retina/iris scanners

There are legal implications as well. In some jurisdictions, you can’t be compelled to provide a password due to protections against self-incrimination, but you can be compelled to touch a sensor or look at your phone, just like you can be forced to provide a DNA swab. Now, the number of people who’ll ever run into this issue is relatively small, but there are legitimate reasons you may want to avoid giving authorities access to your device.

Then there’s the problem of the many ways sensors and scanners can be “hacked.” Sometimes it requires expensive equipment and a determined attacker. In other cases, a picture of the owner or a simple silicone case will do the trick.

You could argue that fingerprint and facial scanners are good enough for 99% of users. Granted, most people will never have to worry about authorities rummaging through their messages or any shady entities stealing their fingerprints from their Facebook profile. It’s also true that biometric sensors have improved security for millions of users who, otherwise, could not be bothered with typing a PIN every time they unlock their phones.

How do you update your fingerprints or your retina?

But the stakes are getting higher all the time. We now use our faces and fingerprints to unlock our bank accounts, authorize payments in stores, and gain access to password lockers like LastPass. For now, that means your digital identity. In a few years, smartphones will be your identity, both online and in real life.

Finally, passwords have another massive advantage over biometric authentication methods: they’re disposable. You can always change your PIN or password, but what happens when your immovable physical traits leak? How do you update your fingerprints or your retina?

What you can do

If you’re worried about smartphone security, there are a few simple things you can do to protect yourself:

What is your preferred phone locking method?


Loading poll