Samsung Galaxy S5 fingerprint swiper can also be faked out, but here's the difference with Touch ID...

As expected, the fingerprint swiper in the new Samsung Galaxy S5 is just as susceptible to spoofing by a fake fingerprint, just like Apple's Touch ID on the iPhone 5s, and pretty much every similar fingerprint sensor on the market. But it also looks like there are few things Apple did right that Samsung might want to look into incorporating in the future.

Biometrics are part of the same classic trade-off of convenience for security. They're not as good as a long, strong pseudo-random password but they're much quicker and easier to enter. (And in a perfect world we'd have the option for passcode/word + fingerprint to get some even more secure multifactor authentication going...) Here's what I wrote about Touch ID last year following similar spoofing attacks, and the poor reporting that followed them:

And the Galaxy S5 after announcement:

It looks like Touch ID has educated the market at least enough to take the brunt — and the letters from Al Franken — off Samsung's back. However, according to the SRLabs video above, however, there are some risks involved with Samsung's technology that Apple has chosen to minimize or avoid.

Firstly, Samsung apparently allows unlimited attacks on their fingerprint sensor. You can try fingerprint after fingerprint and it will happily let you. Apple's Touch ID limits you to 5 unsuccessful attempts, then demands a passcode or password. If someone makes a perfect spoof immediately, that won't matter. If not, or if it doesn't register properly the first few times, it could help.

Secondly, Samsung allows fingerprint authentication even after the Galaxy S5 has been rebooted or simply powered back on or re-charged. Apple's Touch ID requires passcode or password re-entry under those conditions.

Thirdly, Samsung allows third parties to hook into their fingerprint authenticator. So, as shown in the video, they can get to Paypal and your money. Apple currently restricts Touch ID to only your Apple account. So, worst case, if Touch ID is spoofed, all an attacker can really do is buy stuff off iTunes or the App Store, much of which would be locked to your account. That's much less of an incentive to spoof prints.

There's as much tension between functionality and security as there is convenience and security. Everyone wants to do more. Hey, I want Touch ID to unlock my house. But I understand securing the process was incredible important and time-consuming for Apple. For example, they made it so that if you open up an iPhone and remove or otherwise try to tamper with the sensor it will never work again, ever. They also prevented third party access, at least for now.

Hopefully fingerprint sensors and biometrics in general can be hardened even further so that we can get both more functionality and security in the future.

For more on the Samsung Galaxy S5 and fingerprint spoofing, see:

I'm still using Touch ID all the time, because I understand the risks, the limitations, and the benefits. How about you? And if you're using a Samsung Galaxy S5, do the differences in implementation cause you to think differently about using fingerprint authentication?

Rene Ritchie

Editor-in-Chief of iMore, co-host of Iterate, Debug, Review, The TV Show, Vector, ZEN & TECH, and MacBreak Weekly podcasts. Cook, grappler, photon wrangler. Follow him on Twitter and Google+.

More Posts



← Previously

2015 Hyundai Sonata to integrate CarPlay, fresh looks

Next up →

Deal of the Day: Body Glove DropSuit Rugged Case for iPhone 5/5S

There are 22 comments. Add yours.

iDavey87 says:

Well, just because it's limited to iTunes/App Store doesn't soften the blow any less. Money used is money used.

But you are correct. Those are some serious oversights on Samsung's part. Once something has been locked out due to many attempts, it should not be able to be circumvented by rebooting or able to be kept trying until they get it right.

renstein says:

However, because it is only tied to Apple's Stuff, refunds may be possible and are much easier to handle than if third-parties are relying on the tech to keep their secure payments safe.

StuartV says:

Good report, Rene. Shame on the AC editors for not being so objectively critical.

Though I do have to say your "thirdly" point is actually bogus and a point in favor of the Samsung. Apple goes too far in trying to protect people from their own stupidity and that point is simply an example of that. There's no (good) reason people shouldn't have the choice to let their fingerprint authenticate them in third party apps if they want.

williamsbh76 says:

I see what you are saying but who catches the blame for this? Apple or the consumer? It all goes back to the woman who orders coffee at McDonald's, gets serious burns because she spills it on herself, sues McDonald's and wins. Legally, it wasn't her fault (the consumer). It wan't the coffee manufacturer's fault (app devs). It was McDonald's (Apple) even though the consumer is an idiot in this case.

StuartV says:

The consumer.

And you gave a bad example. McDonald's lost that case because they purposely served their coffee at a higher temperature than was safe - even though they knew it was causing people to be burned - because it made it take longer for people to drink, so they served else free refills. They knew the temperature was unsafe for 10 years before that woman finally successfully sued them.

williamsbh76 says:

Actually you just backed up my point. McDonalds was at fault for serving the coffee too hot but seriously, who puts any hot liquid between their legs and doesn't expect to get some kind of burns if it spills. The only difference is the knowledge of the extent of damage that can be done. No where that I've seen has Samsung put any kind of warning out that allowing a third party app to use their fingerprint reader could result in theft or financial loss if it were comprimised and why would they? It would expose a vulnerability, mind you, the same one that Apple has if the sensor is compromised and could affect sales of the product. So again, who is to blame, if this happens and more importantly what are the legal repercussions? I hate to say it but people nowadays blame everything but themselves when something goes wrong. Rarely does anyone look in the mirror and say, "what did I do wrong," when the crap hits the fan and too many times they win legal battles for their own foolishness.

StuartV says:

Did you read the article? McDonald's lost because they purposely, knowingly, did something that was dangerous to their customers, in order to make more money. In your analogy, the only way it would be Apple's fault is if Apple put in the capability, then found out there was a bug that let hackers hurt people (e.g. by getting their PayPal credentials and cleaning out their bank account), then did nothing about it for 10 years, all the while knowing that there were people getting robbed by hackers that were exploiting the bug. And if that happened, they SHOULD get sued and lose!

Solamar says:

No, it's a great example.. because what is considered safe? Should the coffee be served lukewarm? Should it be hot enough to stay hot for 2 hours? 1 hour? Until it's boiling? You realize that water will only get so hot and coffee makers from a store get it has hot as McDonalds did. Why not sue the coffee machine makers too? The argument that they did it to make people take longer to drink is / was never proven; but because McDonalds admitted they wanted the coffee to stay warm for customers as they considered it going the extra mile for the customer came back and bit them.

In fact, MOST people get coffee through the drive-threw.. They don't stay long enough because most are otw to work when getting coffee in the morning.

Fact is, It's completely subjective and all it takes is the right tear at the right time to convince a judge or jury.. Not many will side with a company like Apple because the first thing they will think is they have the money, just pay it.. Right/wrong suddenly become subjective to those involved.

StuartV says:

You're trying to justify Apple's decision not to let third party apps use fingerprint authentication. And the logic you're using applies equally to saying that Apple shouldn't use fingerprint authentication at all, for anything. You're saying they could get sued and lose because somebody gets "hurt" via an exploitation of their fingerprint authentication. And the fact is, it's fairly easy to hack and people can get "hurt" now. If the possibility of getting hurt is reason to not let 3rd party apps use the feature, then the feature shouldn't be there at all.

iSRS says:

Plus, in June, when Apple announces third party hooks to Touch ID, (assuming the natural progression), the argument is moot.

Sent from the iMore App

Richard Devine says:

By that you mean me, also an editor here...

You might think that criticising Samsung is justified, but I'm perfectly happy with their implementation of a fingerprint scanner. In fact, so far it's actually been more reliable than Touch ID and offers something Apple won't allow in Paypal access.

StuartV says:

I don't think "giving a critical review" and "criticizing" are the same thing.

And I do think that Rene's first two points about how fingerprint-based security should work are extremely good. And any objective review should point out these two areas of functionality in Samsung's implementation, whether you think they are "good enough" or not. THAT decision should be up to the reader. Leaving out that information means you have made the decision for the reader.

willizen says:

"so far it's actually been more reliable"

I suppose I missed the large scale randomized trial that showed that Samsung's implementation was more reliable. Perhaps your experience is different, but I can't even remember the last time Touch ID didn't recognize my thumb on the first try. And I don't have to hold my phone with two hands to do it reliably every time either.

DS1331 says:

Ok McDonald's served their coffee knowing it was too hot and Apple and Samsung released their phones knowing the finger print sensor isn't secure. Your point is invalid.

Posted via the Android iMore App!

theREALtechdaddy says:

I believe Apple will keep any third party access to Touch ID very limited for the foreseeable future, perhaps with a (currently) styled AppleTV "special partner" channel arrangement. There are a lot of legal/liability issues that crop up when a problem arises with biometrics and money. If Apple keeps purchases to iTunes and pre-arranged partners, with the presumption Apple will introduce a payment system in the near future, I'm okay with this for now

Taz89 says:

Am pretty sure after certain amount of failed attempts it asks for password hence why it asks you to set a password when you set up the finger print.. Agree it would be good if a 2 step verification of finger print and a pin was added as an option for those who want to be extra secure. Also agree the option to require pin after reboot is a good. Am sure most of these things will get addressed via updates but I don't think this is a major issue, too many things need to come together, phone needs to get stolen, need a image of the correct print and then you need the right equipments to make a mould. Not something a everyday user has to worry about but agree options can be added to make it more secure. It's pretty much all finger print sensors that have these flaws

Posted via the Android iMore App!

pappy53 says:

Actually, after 5 failed attempts it will ask for a password.

GlennRuss says:

After all said, and done, do not loose your phone. I still see people go to the restroom, or leave their table at Starbucks, and leave the phone on the table, or they put it in a jacket picket, and leave it on the back of the chair while they shop around.

Sent from the iMore App

rjholmes123 says:

And who is surprised?

Sent from the iMore App

kkamoe says:

The reason why the iPhone 5S Touch ID is superior to the galaxy S5 is because you can do it holding one the phone with one hand. When I tried to do the fingerprint sensor on the galaxy it was really hard to enroll the fingerprint and afterward was hard to unlock the phone, unless I held the phone in one hand and swiped my finger. I'll take the 5S because the ease of the fingerprint.

nat750 says:

I can't wait for Touch ID to be available for everything that can be password protected. Since I can now use it problem free since 7.1 fixed it, i find it such a great feature. Nobody is forced to use it so if anybody doesn't trust it then just don't use it, simple as that. I want it on everything personally.

Sent from the iMore App