Chaos Computer Club's "Starbug" has taken a look at the Samsung Galaxy S8's iris-scanning authentication feature and found you can beat it with a photograph.
The tools the group used aren't even remotely sophisticated: a camera in night mode, a contact lens, and a printer.
To fool the sensor, supplied to Samsung by Princeton Identity, the “attacker” took a photo of the subject from a few metres' distance, printed it out, and dropped the contact lens over the iris to imitate the curvature of an eye (note: the CCC video doesn't mention this, but you'd have to get the printout aspect right, so as to make the iris the same size as the contact lens).
When that image was presented to the camera, it unlocked, right on cue.
As CCC spokesperson Dirk Engling says in the group's announcement, the integration between authentication and Samsung Pay means someone who can trick your phone can also spend your money.
Night mode (that is, infrared filter switched off) is important, because with infrared in the image, “the fine, normally hard to distinguish details of the iris of dark eyes are well recognisable.”
CCC's advice: use a PIN to unlock the phone. ®