Part 2 - Facial Recognition May Not be Secure for Long

This is Part 2 in the series of Facial Recognition May Not be Secure for Long

Turning a Flat Face into 3D 

Turning a flat picture into a three-dimensional model is just math. Once the algorithms are figured out, it can be made available for widespread use. For example, researchers at the University of Nottingham released an online demonstration that anyone can use. Submit a face picture and it will create a 3D model for you. It is not perfect, but showcases the early work in this space.  

Challenges of Facial Recognition 

The weakness of facial recognition comes from the fact it is making a validation of what it visually detects. Basically, what it can see. This is problematic as attackers can use the limited focal plane of the camera to present whatever they want. The physics remain a persistent problem for image based authentication. It is easy to recreate recorded images, video, etc. with modern displays, to match what the system will expect. The advent of multiple cameras and the potential overlay of infrared signature, may shift such attacks from easy to much more difficult.   

Bringing more types of sensors to the party can improve the overall comprehensiveness. Apple has incorporated an infrared camera, proximity sensor, and a dot projector as part of their iPhone X release. This comprehensiveness introduces more complexity which increases the challenges for adversaries but can also impact usability. Additionally, complexity in technology is a breeding ground for more vulnerabilities. So, more is not always better.

Biometric Options 

There are other choices. Fingerprint, iris, voice, heartbeat, and a plethora of other biometrics are being explored as viable authentication measures. Although many other biometrics don’t suffer from the challenges inherent to facial recognition, they too each have their own unique strengths and weaknesses. There is no clear winner yet.  

Facial recognition may not be a panacea, it is still far better than no authentication or default passwords/codes. The shift this year to replace the fingerprint scanning with facial recognition in the iPhone may raise the stakes.   

The recent iPhone X demo went awry at first, but also showcased how fast the face-scan can be, at presumably the lowest security setting.

I predict if it proves sufficiently secure it will be here to stay. However, if it is weak or vulnerable, it will be quickly replaced with newer generation fingerprint scanners that can preserve aesthetics by working through the display glass and not requiring a separate button sensor.   

The Future is Uncertain 

Using our publicly accessible faces for security authentication may not be the best path forward. Technology is providing both the capabilities as well as undermining them. Time will tell.   

As for me, I will stick with my fingerprint scanning phone. At least I have a much better chance of keeping my fingerprints more private and secure. It is not perfect, but the technology has proven solid and relatively secure in real world settings. Until tested reliable, I will not hastily jump into facial recognition. It may be suitable for low risk authentications, but I hold too much data on my phone to accept the unknown risks. Of all the different biometrics, I have only ever considered two to be plausible in finding the right balance of security, usability, and costs. My favorites are still fingerprint and iris scans, for local-only authentication. Call me paranoid, but that is my job.  

I do hope Apple has found a way to also attain an optimal balance. If any company out there can thread this needle, it is Apple.     

Interested in more? Follow me on LinkedIn, Twitter (@Matt_Rosenquist), Information Security Strategy, and Steemit to hear insights and what is going on in cybersecurity.