Thoughts Aloft

Random Ramblings

Biometric Security

This article about a “flaw” in the Samsung Galaxy S10 in-screen fingerprint reader is nothing but click-bait that I probably shouldn’t be linking to but it got me thinking about so-called biometric security “flaws.”

Samsung: Anyone’s thumbprint can unlock Galaxy S10 phone

This is the BBC article headline, and like all the others I’ve seen reporting the issue, make it sound like a widespread, serious flaw where anybody could pick up anybody’s S10 and unlock it, which I do not believe is the case.

A flaw that means any fingerprint can unlock a Galaxy S10 phone has been acknowledged by Samsung. It promised a software patch that would fix the problem.

I believe this “flaw” is an isolated issue with the specific model of screen protector that the person mentioned in the article was using. If this was a widespread issue with all screen protectors, we wouldn’t first be hearing about it seven months after the phone launched. If I’m wrong and it is a widespread issue affecting all screen protectors, then yeah, then this is a very serious flaw that Samsung should have caught well before now.

Whether this is an isolated incident that got blown out of proportion or a larger issue that went unnoticed until now, I am glad that Samsung is taking it seriously and plans to correct the issue.

BBC’s News Technology Reporter, Chris Fox writes about problematic Google Pixel 4 facial recognition: 1

Google has confirmed the Pixel 4 smartphone’s Face Unlock system can allow access to a person’s device even if they have their eyes closed.

One security expert said it was a significant problem that could allow unauthorised access to the device.

By comparison, Apple’s Face ID system checks the user is “alert” and looking at the phone before unlocking.

This article is click-bait that does nothing more than scare people about biometric authentication. It is curious, and a little troubling, that Google isn’t including any sort of attention awareness setting in the shipping version of Android 10, at least according to the article.2 The article mentions a statement from Google but doesn’t include the statement or directly quote the statement, except for a single sentence at the very end of the article: “We will continue to improve Face Unlock over time.”

Yes, iPhones and iPads with FaceID have attention awareness turned on by default but turn it off and they will behave the same way as the Pixel 4. I have attention awareness turned off on my iPhone 11 because my sunglasses prevent the True Depth camera from seeing my eyes. They are not polarized sunglasses but have dark tinted glass lenses. I did not hesitate in turning attention awareness off because 1. FaceID is still secure with attention awareness turned off, and 2. I trust my wife and kids not to do anything nefarious with my phone when I’m sleeping.

“If someone can unlock your phone while you’re asleep, it’s a big security problem,” said cyber-security expert Graham Cluley. “Someone unauthorised - a child or partner? - could unlock the phone without your permission by putting it in front of your face while you’re asleep,” he told BBC News.

I laughed at the security expert’s statement. This is not a “big security problem” or flaw with the Pixel 4, or any iPhone or iPad with FaceID. It is not a “big security problem” with devices that have a fingerprint scanner where someone just has to place your finger on the scanner to unlock your device. This is one of the security vs. convenience trade offs we make with any sort of authentication, biometric or otherwise, on our devices. We take the convenience of not typing our device passcode 3 every time we unlock our device and trade a very, very, little microscopic piece of security. The same could be said of people using a 4 or 6 digit or character passcode instead of a 25 digit or character passcode.

We need to be able to trust in the authentication methods we use on our devices, and any real flaw in those methods needs to be fixed but these blown out of proportion, click-bait articles are not helpful in any way.


  1. I promise this is not a bash the BBC post. [return]
  2. “Google fixes major flaw with Pixel 4 face unlock” will be the headline when or if attention awareness is added. [return]
  3. Or App Store password, password manager password, etc. [return]