Biometric authentication may be more convenient than a PIN or password, but it is not as secure as you might be lead to believe. The iris scanner on the Galaxy S8 can be defeated with a photo and contact lens, despite Samsung's claims that it offers "airtight security" and provides "one of the safest ways to keep your phone locked and the contents private."
If this has you worried, Samsung says that it is "difficult for the whole scenario to happen in reality," even though the hack "appears simple." The company believes that having the right tools in the first place can prove to be problematic for anyone attempting to defeat the iris scanner.
"You need a camera that can capture infrared light (used in the video), which is no longer available in the market," says Samsung. And even if you manage to get your hands on one, "you need to take a photo of the owner’s iris and steal his smartphone." For these reasons, "it is hard to see that happening in real life."
So, basically, Samsung believes that there is no reason for the average user to worry about this, as it would hardly make sense for a thief to go to such great lengths to unlock the Galaxy S8 in the hope of reselling it.
However, what Samsung does not say is that while the average Joe may have no interest or want to bother to defeat the iris scanner, hackers willing to go the extra mile to extract important data or government agencies wanting to unlock a Galaxy S8 will find a way to get the right tools for the job.
What's more, it is actually possible to tweak an existing camera to pick up infrared light. As CCC explained when it revealed the hack, "a thief [can] capture iris pictures [...] with a digital camera in night-shot mode or the infrared filter removed."
Using night-shot mode is a matter of flicking a button or turning a mode on in the settings, and removing the infrared filter is not all that hard either all things considered. There are YouTube tutorials that show how to do that, for instance.
However, it is hard to argue that the average user should be concerned about this hack, especially if they do not post the exact pictures a hacker would need on social media or let complete strangers take photos with a telephoto lens from up close.