German hackers, known as the Chaos Computer Club, have posted a video (via the Guardian) of them tricking the Samsung S8’s iris scanner using a picture of the owner’s eye with a contact lens placed on top of it, to mimic the curvature of a physical eyeball. This raises concerns that biometric authentication isn’t as secure as we’ve been led to believe. Don Duncan, security engineer at NuData Security commented below.
Don Duncan, Security Engineer at NuData Security:
“Many authentication technologies relying just on physical biometrics prove that impersonation is a risk. This is a challenge many technologies face in trying to balance the needs of security against convenience. Starbug from CCC (Chaos Computer Club) demonstrated this with being able to impersonate an individual using a picture with Samsung Galaxy S8’s iris-scanning authentication feature. Also this has been done using by Burger King by using voice recognition to launch Google searches on Android devices.
While these are all convenient means of authentication they should not be the sole means of validating who the user is. With physical biometrics – whether it is using a fingerprint, iris-scan or voice recognition – this should be complemented with other levels of authentication and not the sole mechanism for validation. Physical biometrics coupled with behavioural biometrics provides a complete recognition of the user. While automation and human actors can masquerade as a person using physical biometrics, human interaction and behaviour adds a level of complexity that provides this additional level of security without introducing friction into the user experience.”