Smartphone owners today have a plethora of ways to lock and unlock their phones: face scans, finger presses, PIN codes, location detection, and so on. Are some of these options more secure than others? And which one should you use?
First, let’s recap of what’s actually available. iPhone owners have the option of Touch ID fingerprint scans and a PIN code, which these days has to be six digits long. Rumors are swirling that the next iPhone will offer some sophisticated face recognition tech as well as, or instead of Touch ID, but we’ll have to wait until September to find out.
On the Android side there are more manufacturers and models to consider, and thus more variety in options—fingerprint sensors and PIN codes are standard virtually everywhere now, while the Galaxy S8 from Samsung was one of the first major flagships to introduce iris scanning as an option. Most Android handsets also support pattern unlock, which is slightly more convenient than a PIN, with a smaller number (including the Galaxy S8) offering their own take on face recognition too.
Additionally, Google has made a suite of Smart Lock options available for unlocking your Android handset: Trusted Places (unlock at a specific location), Trusted Devices (unlock when connected to a specific Bluetooth device), Trusted Face (facial recognition), Trusted Voice (voice recognition) and On-Body Detection, which attempts to detect when your phone is actually on you and unlocks at at those times.
Look a little closer and it quickly becomes apparent that these newer, “smarter” methods of phone locking and unlocking are all about convenience. They usually get you into your phone quicker, but they also have some security shortcomings.
“There is no one biometric approach, such as fingerprints or iris scans, that is universally superior to other approaches,” Synopsys senior principal consultant Amit Sethi told Gizmodo.
Sethi said part of your decision about which phone locking protection tech to use should be based on how long it’s been on the market and how mature it’s become. You can also keep your eyes on the tech news of the day to see how security researchers are finding ways around the safety measures on your phone—and you don’t have to look far to find examples.
Just about every smartphone locking measure out there has been hacked or exposed at some point, but it’s worth remembering that in a lot of cases these technologies are getting beaten under lab conditions that aren’t easy to replicate in the real world. In other words, just because someone can spoof a copy of your iris doesn’t mean they’re going to go through the trouble of doing so.
Take the case of German minister Ursula von der Leyen—security researchers were able to create forgeries of her fingerprints based solely on some high resolution photos of their target, one of which was issued by von der Leyen’s own press office. Academics say the same trick is possible using high-resolution photos of people showing the peace sign.
As for iris scanning, the hackers of the Chaos Computer Club were able to get around the iris scanner built into a test Galaxy S8 using a high-resolution photo of its owner. To do the same, you would need an infrared-enabled camera, a photo taken from five meters away or closer, a laser printer, and a contact lens to shape the fake iris.
Maybe the phone hackers in your town aren’t going to go to that level of effort to get a sharp photo of you, but the point is that biometrics can be spoofed, and you can’t change your fingerprint as easily as you can change your PIN code. Fingerprint, iris, and face data is usually safely stored on your device and your device alone, but if your biometric details have made it to a database somewhere, that’s another avenue for hackers to exploit.
Considering you can get around iris scanning, it’s unsurprising that face scanning isn’t foolproof either. It’s actually the weakest of the set security tool in the set: photos have been shown to be enough to hack it, and Samsung doesn’t allow it as a method of authenticating Samsung Pay transactions, which tells you all you need to know.
The list continues: voice recognition can be hacked using audio recordings, and computers are getting smarter at generating audio from voice samples all the time. Like the other biometric protections we’ve mentioned here, voice recognition is enough to stop the average man on the street, but it’s not as secure against a dedicated hacker.
It’s worth noting that iris scanning is theoretically more secure than fingerprint scanning, because there are more data points to match up with, but again, it depends on the specific implementation. All of these biometric authentication methods are continually improving and getting smarter—Apple’s rumored face detection system is said to be one of the most sophisticated yet—but as far as the flagships of 2017 go you shouldn’t consider any of them as unbeatable ways of keeping your phone protected.
“If we want something to stop anyone from hacking our phone, even if they know us or have access to information about the owner, then no security measure is technically secure,” Mark James, security specialist at ESET, told Gizmodo.
“If you want something to stop someone from accessing your private data if it gets lost or stolen, and they do not have any information on you, then most of the current phone locking techniques will do that job,” James added.
Choosing the right protection
A security mechanism’s infallibility depends not just on its technical specs but also on a host of other factors, like how often you’re photographed in public, how often you’re without your phone, how much effort someone might expend to unlock your phone, how you combine methods together, and so on.
Based on the views of our experts, the old PIN code is most frequently cited ads the best way to lock your phone. In short, experts like it because it’s long, and it’s impossible to guess. That’s a very difficult hurdle for hackers to get over.
“When protecting mobile devices I highly recommend having a PIN code to wake a phone,” said Scott Schober, CEO of BVS Systems. Still, he added that no one security method is totally perfect. “All of these authentication methods are actually convenience features disguised as security... [and] users will always compromise security for convenience. That is why I come back to layered security—use an iris or fingerprint scan as an additional authenticator to password security.”
Leigh-Anne Galloway, Cyber Security Resilience Lead at enterprise security firm Positive Technologies noted that PIN codes have their vulnerabilities but remain technically the safest option for locking a phone: “In my opinion, the most secure way... to manage your phone locking is to use a randomly generated password,” she said. “Yes, it’s hard to remember, but all the other techniques make the authentication process more simple both for you and for potential attackers.”
While acknowledging there’s “good reason” why PIN codes and passwords are considered weak security measures—not least because we’re so bad at choosing decent passwords—Comparitech.com security researcher Lee Munson said the alternatives have yet to be proven to be significantly better.
“While biometrics and other authentication mechanisms do have a part to play in proving someone’s identity, none are sufficiently foolproof to stand alone just yet and are best utilized as part of a two-factor authentication setup,” advised Munson. “Long live the password.”
As for Google’s various Smart Lock options, the Trusted Devices option is the safest and the On-Body Detection is the least safe, according to AVG. Getting round the trusted devices option means stealing two devices rather than one, while on-body is really just there as a convenience measure and can’t tell you from anyone else (something Google admits as well). Trusted Locations can work well, as long as they’re set to your home address rather than every bar and restaurant you frequent.
To answer the question we came in with, getting multiple methods of protection set up is ideal, but a PIN code or password is safest (and the least convenient) of the bunch. Where you’re willing to draw the line between security and convenience is up to you.
On the one hand, watching you enter your smartphone PIN at a coffee shop is a lot easier for a would-be thief to do than build a working replica of your thumbprint; but on the other hand, your fingerprints, voice, iris and other biometrics are all vulnerable to being spoofed to some extent, and can’t ever be changed in the event of a breach. If you’re careful and clever about it, your PIN code only exists in your head, and that’s a very hard place for a hacker to get into.