I have a new smartphone that can use biometric technology—specifically, an iris scanner—to authenticate me (i.e., to unlock itself). Though I was initially thrilled at the space-age modernity and ease of this feature, I ultimately decided not to continue using it, for a reason that may surprise you.
Biometric authentication might seem to some like a solution looking for a problem. Why not just use a password or PIN to unlock a phone or other device? Actually, static passwords are pretty fallible. People are lazy and choose really lame passwords. It’s also possible to intercept them; both my daughters managed to learn my smartphone’s PIN by looking over my shoulder.
But that’s not actually the biggest problem with traditional authentication. After all, security can be increased by using two factors, e.g., a static PIN or password plus a token or app that generates a new password every minute. But this process is annoying. To securely connect my work PC requires a complicated password to unlock it, followed by VPN authentication involving a numeric user ID, an 8-digit static PIN, and a 6-digit constantly changing PIN that I need to get from my phone, which (until recently) required that I unlock it with yet another 6-digit PIN. That’s 42 keystrokes total.
Meanwhile, throughout the day I’m typing this or that other username and password to reach various resources; I have well over 100 different logins to keep track of. Most of the time, the password field you type into doesn’t show you what you’re typing—just asterisks. This leads to typos, of course, so you have to start over. If you’re at a café, this makes sense, but don’t most of us work in an office or at home 90% of the time? Why not show the password by default and have an optional “mask” button for public spaces?
This is where fingerprint readers, facial recognition, and iris scanning can really help. They’re faster and easier, removing an annoyingly repetitive behavior.
Samsung optical recognition
My new Samsung Galaxy S9+ phone has three ways of optically authenticating the user. It can use facial recognition (i.e., using the front-facing camera to see if it’s my face); it can use an infrared scanner to inspect my irises and compare them to the baseline image I stored in the phone; or it can use both. In practice, the facial recognition isn’t considered secure enough for sensitive applications. The combined method is also pointless, because the phone tries the less rigorous facial recognition method first, thus dispensing with the secure iris scan most of the time. In practice, only the iris scanner by itself makes any sense.
So, does the iris scanning work? There are two definitions of “work.” First, the phone needs to easily perform the test and unlock itself, without any false negatives (i.e., failing to recognize my irises). On top of this, the authentication has to actually be secure (i.e., avoid being circumvented by a malicious actor).
At first blush, the iris scan seems great. You swipe up from the bottom of the touch-screen to tell the phone to scan you; then, a fraction of a second later, your phone is unlocked. It’s like magic, and far easier than the six-digit PIN I had to type on my old phone. (That was actually seven taps total: the PIN and then—pointlessly—having to tap Enter.)
As far as whether the technology really is secure, that’s harder to ascertain because it’s like proving a negative. But honestly, I don’t care if it’s completely foolproof. For me, the security needs to meet exactly two standards: 1) my employer’s IT department trusts it; and 2) Google Pay trusts it. I don’t see that there’s that much real risk involved here. After all, what are the odds that a malicious actor will gain physical access to my phone? Negligible. And if someone did, well, I’d kick his ass! (Meanwhile, if I were to lose my phone, one quick phone call to corporate IT would have it wiped clean—i.e., “bricked”—within minutes.)
That said, this is a full-service blog so I’ll share what my cursory Internet research turned up. Yes, somebody has already hacked this technology. They used a digital camera with an infrared light, captured a photo of somebody’s irises, printed it out, and then put a contact lens over the iris in the printout to create the right curvature. One article called this “alarmingly easy” but is it, really? I don’t typically let strangers take a photo of my irises in infrared mode from three feet away without my consent. Meanwhile, let’s not forget that this methodology still requires that the malicious actor get physical access to my phone. How’s he gonna do that? And what exactly does he hope to get off my phone … my beer photos?
Anybody who fixates on security measures involving physical access is missing the point. This is not how hackers operate. Let me explain how they actually do their thing. Recently I was sitting in a doctor’s office reading Readers Digest and came across an “article” (i.e., thinly veiled ad) for a free app that gives emergency first responders a way to get pertinent info off your phone if they find you unconscious in a ditch. They will want to find out if you have any medical conditions, and have a way to contact your family members to let them know you’ve been in an accident. Without a screen lock this is pretty easy—they just call the last number you dialed, or sift through your contacts. But with a screen lock, things get harder. The app described by the Reader’s Digest article makes your medical information and emergency contacts available when your phone is still locked. Pretty cool, right?
(By the way, if you want to make your emergency info available to first responders via your locked phone, check the website of your phone manufacturer. My old Motorola phones supported this natively, as does my Samsung.)
The problem with optical scanning
So the Samsung iris scan looks pretty good, right? If so why this post? Well, as is so often the case, the honeymoon was brief.
A few days into my use of the iris scan authentication, I started having some problems. Usually the scan was almost instant, but then I challenged it in several ways. I used it while wearing contact lenses, then glasses, then sunglasses. With the first two, the phone had to work a little harder to get a good scan, but eventually worked. With sunglasses—no dice.
Still no big deal, right? But over time, seemingly as I myself got tired, this phone seemed to be working harder and harder to authenticate me. Things got worse in the evening, perhaps due to low ambient light and/or my increasingly dilated pupils. Instead of just flickering, the screen was putting two circles on the screen for me to align my eyes with. I couldn’t get a screenshot of this, but here’s how Samsung depicts it:
Still not a big deal, but not instant and automatic either. It had me doing a little bit of work, and I don’t like doing a little bit of work. I’m a Californian, man! I don’t have time for instant gratification! Moreover, I had the distinct sense that having this red light shining in my eyes was starting to cause discomfort.
Could this discomfort be in my head? Absolutely! Try this thought exercise: do you feel a little bit of an itch right now, on your head? Just a little? Doesn’t it kind of feel like something is crawling on it? Weren’t you sitting under a tree earlier? Isn’t this the season for spiders? Isn’t it entirely possible that one dropped down into your hair? There’s a little itch—admit it. You have to scratch now, don’t you? I do, and I’m the perpetrator of this ruse! (Don’t you feel a yawn coming on, too?)
The point is, any fear of side effects with this technology can start to niggle, and a little fear isn’t unreasonable. A government facility employing iris scans would screen you once every few days or weeks. But phones? We unlock these devices many dozens of times a day. I don’t think it’s irrational to wonder if frequent iris scanning might cause a cumulative problem. After all, this use of the technology is totally new.
I’m clearly not the first person to wonder if this is safe. Consider the second Google autocomplete suggestion that appeared when I typed “samsung iris scanner”:
As luck would have it, I had the opportunity to talk to a Samsung engineer about the safety of this feature. (Never mind how.) I should point out that our conversation was basically off the record. (I didn’t present myself as a blogger, because I don’t enjoy having people laugh in my face.) I also want to be clear that this guy didn’t utter a single sentence that would incriminate Samsung in any way. Everything he said indicated an essential trust in this technology.
At the same time, there were some nonverbal cues indicating that perhaps he’s not entirely confident that there’s zero risk here. This wasn’t just my interpretation … several others witnessing the exchange chuckled out loud a couple times. Due to the very essence of nonverbal communication, I cannot explain exactly how he hedged. Perhaps the most tangible detail I can convey is this cryptic statement he made, in response to my question about the high number of scans these phones are doing: “Everything in moderation, including moderation, right?”
(It was a great tech-geek conversation, by the way. The oddest thing he said was, “You can remove your irises!” I pictured a gory self-surgery for a moment before realizing he meant I could remove the stored benchmark image and try again. The idea is, if I had captured the baseline iris scan in bright daylight, then the authentication scans would also work best in bright daylight. You can experiment with different lighting conditions to capture the best sample, which will make scans work in the widest variety of conditions. The phone has an almost comically named “Manage Irises” menu for this.)
In the final analysis, I didn’t find any legitimate reason to act on my concerns … I recognize them as knee-jerk reactions, more paranoid than rational. There’s just not enough there to suggest a safety problem with this authentication method. But there’s a less slippery aspect to it that ultimately did cause me to abandon it anyway. Look at this photo:
What do you notice about that photo, particularly in contrast to the one before it? The guy in the photo looks pretty tired, doesn’t he? The Samsung photo is much nicer. The woman—surely a model—has really nice smiling blue eyes. If I looked like her, I might actually enjoy iris scans. Hell, I’d probably even snap selfies! I might even use Instagram! But the reality is much different. Unlocking my phone, particularly during the evenings after a hard day, became downright demoralizing. Here’s what I found myself looking at:
Look at those bags under my eyes! It’s depressing! I also don’t have any eyebrows left. Where the hell did they go? I used to have eyebrows. In fact, I had very nice eyebrows. I think they were my best feature—and now they’re gone … at some point they just straight-up vacated. Another ravage of age. And the above photo doesn’t even capture the expression my eyes would betray during these scans … it was one of confusion and frustration, which are decidedly unflattering.
I’m not kidding here: these iris scans were making me feel old and lost. Haven’t these damn phones, with their social media and their selfies, done enough to undermine our self esteem, without reminding us, through this new form of scrutiny, how tired and doddering so many of us have become?
Happily, there was an elegant solution to my quandary: I switched to the fingerprint reader. I’d initially refused to consider this technology because I cannot stand it on my iPad Air. That device’s fingerprint reader has always enraged me. It works about one in ten times. Typically I try it three times in a row to no avail, and then the iPad gives up and makes me type my password. So it’s actually adding effort and frustration, the net result being I almost never use my iPad for anything. It just sits in a drawer.
Samsung, on the other hand, has a great fingerprint reader. For one thing, it’s located on the back of the phone, which just makes sense. Plus, it happens to work perfectly. Furthermore, it offers a significant extra advantage: you don’t have to “wake up” the phone to use it. With the iris scanner, you have to un-snooze the phone by pressing a button on the side, and then you swipe up on the screen, point your eyes at the phone, and then it does the scan. With the fingerprint reader, even if the phone is sound asleep, you just touch the reader and the phone unlocks. I can do this in the same motion as pulling my phone out of my pocket, so it’s instantly ready to use. Moreover, the phone can store multiple fingerprints, so another trusted person (e.g., your spouse) can borrow it (e.g., you’re driving and he or she wants to navigate). I give Samsung’s fingerprint authentication an A+ … they really nailed it.
(No, Samsung didn’t give me a free phone or anything for writing this; I’d be required to disclose that if they did. So, if anyone from Samsung is reading this: you’re welcome.)
For a complete index of albertnet posts, click here.