Hackers Unlock Samsung Galaxy S8 With Fake Iris

From a Motherboard report: Despite Samsung stating that a user's irises are pretty much impossible to copy, a team of hackers has done just that. Using a bare-bones selection of equipment, researchers from the Chaos Computer Club (CCC) show in a video how they managed to bypass the scanner's protections and unlock the device. "We've had iris scanners that could be bypassed using a simple print-out," Linus Neumann, one of the hackers who appears in the video. The process itself was apparently pretty simple. The hackers took a medium range photo of their subject with a digital camera's night mode, and printed the infrared image. Then, presumably to give the image some depth, the hackers placed a contact lens on top of the printed picture. And, that's it. They're in.

Re:Single biological authentication doesn't work

[Sique]

The general problem is still unsolved. If your iris and your fingerprint id are broken, how do you replace them with new ones?

That's the general problem with biometric identification. Once you can overcome the limits of the scan mechanism, and impersonate someone else, there is nothing the impersonated one can do to close the door again, until new scan mechanisms are in place which have to be fooled in a new manner.

Re:Single biological authentication doesn't work

Biometrics are really analogous to user names, not passwords. I really have no idea why they keep insisting that they are the next thing in security.

Security vs Convenience

[green1]

I think by now everyone on Slashdot knows that biometrics provide very little actual security. That said, they do provide a very real solution to a very real problem. My phone has too much information on it to leave completely unprotected, but at the same time, I unlock it so many times a day that entering a long and complex passphrase each time is impractical.
Now that said, the phone situation is also not like any other computer security issue either. I pay pretty close attention to where my phone is at all times, and that place is usually on my person. So it could be argued that it doesn't need as much security. It is in very real terms not much different that way from my wallet, and a thief doesn't need to pass any authentication at all if he steals my wallet, and that contains not only cash and credit cards, but also my ID, which would be enough to steal my whole identity.

I see the fingerprint authentication on my phone as being enough to stop my toddler from doing too much harm to my settings, or my friends from pranking me at the bar, it's also enough to foil the vast majority of casual pickpockets. It won't protect me against any government agency, or dedicated crime syndicate, but really, who am I fooling, neither of those groups is going to care about my phone, and if they do, there's no authentication I could put on it that will actually provide real protection from them (between "rubber hose" attacks, and whatever hacking tool they've found and not released yet)

Now if I was asked to use biometrics to authenticate my car, house, workplace, or bank account, I'd object a lot more, after all, those things are often left unattended, and the incentive for a malicious party to get in to them is much higher than my phone.