In-display or not, the fingerprint scanner used by the Galaxy S10 lineup remains rather spoofable by anyone who has the technical know-how and enough malicious intent to trick the biometric solution into wrongly granting access to Samsung’s latest range of Android flagships.
That’s the main conclusion drawn by one dedicated Galaxy S10 owner who attempted to spoof their latest gadget with a 3D-printed copy of their fingerprint. They did so successfully following short preparations which involved photographing their fingerprint on a wine glass, modifying the image in photoshop in order to enhance its contrast and turn it into an alpha mask (basically a sole fingerprint surrounded by a transparent layer), and 3D-print it onto a piece of plastic.
The printing process lasted for roughly thirteen minutes, with the produced fingerprint copy being accurate enough to fool the Galaxy S10 into unlocking. The author of the method used another smartphone to capture their fingerprint sitting on a wine glass but speculates one could just as easily use a DSLR in combination with a telephoto lens in order to obtain such an image over a long(er) distance; they’re likely right in that assumption; long-range imagery is one area of mobile photography that still can’t get anywhere close to the “real thing,” as evidenced by countless crisp shots of various sports games you can see attached to your favorite columns and match reports on a daily basis.
The convoluted process the author of the newly reported method used to go around the Galaxy S10’s security has been criticized by some as unfeasible, with cynics likening it to making a copy of one’s door keys, then claiming to have “hacked” them. While that analogy isn’t too far off the beaten track, you certainly can’t get your house or apartment keys stolen from across the room, which appears to be a realistic possibility when it comes to using ultrasonic fingerprint readers.
One improvement compared to traditional scanners is that an in-display one requires some sort of pressure applied on the part of the screen that houses it, which means extra effort being required on the part of the potential attacker. On the other hand, someone who got as far as obtaining and replicating a fingerprint is unlikely to stumble on that last step.
Ultimately, anyone who even remotely cares about mobile security shouldn’t be using their fingerprint for unlocking their smartphone at all. Instead of a password, a fingerprint is more akin to a username in today’s cybersecurity game. You could potentially use it to enhance the robustness of your unlocking mechanism instead of relying on it as your sole means of authentication, yet no handset manufacturer to date provided a simple solution for doing so.
Then there’s the issue of the Fourth Amendment, i.e. the question whether it protects biometric data in the same sense it does passcodes. Right now, the answer is — more or less — a “no.”
None of that is to say Samsung’s latest Android flagships are less secure than their contemporaries. They’re arguably better at protecting your data than what the majority of their rivals is capable of achieving, just don’t expect wonders from them.