The Chaos Computer Club has demonstrated how to bypass the Galaxy S8 Iris Scanner with just a printed photo and a contact lens.
Iris recognition may be barely sufficient to protect a phone against complete strangers unlocking it. But whoever has a photo of the legitimate owner can trivially unlock the phone. “If you value the data on your phone – and possibly want to even use it for payment – using the traditional PIN-protection is a safer approach than using body features for authentication”, says Dirk Engling, spokesperson for the CCC. Samsung announced integration of their iris recognition authentication with its payment system “Samsung Pay”. A successful attacker gets access not only to the phone’s data, but also the owner’s mobile wallet.
The security risk with iris based authentication is even worse than fingerprint scanners like Apple’s Touch ID which is also easily bypassed. CCC says that Samsung’s iris scanner can be circumvented with high resolution pictures from the Internet or with a photo taken by a good digital camera with a 200mm lens from up to five meters away. You’ll need to shoot with the infrared filter removed for usable results.
