[content] => 
    [params] => Array
            [0] => /forum/index.php?threads/facial-recognition-may-not-be-secure-for-long.9839/

    [addOns] => Array
            [DL6/MLTP] => 13
            [Hampel/TimeZoneDebug] => 1000070
            [SV/ChangePostDate] => 2010200
            [SemiWiki/Newsletter] => 1000010
            [SemiWiki/WPMenu] => 1000010
            [SemiWiki/XPressExtend] => 1000010
            [ThemeHouse/XLink] => 1000970
            [ThemeHouse/XPress] => 1010570
            [XF] => 2021071
            [XFI] => 1050270

    [wordpress] => /var/www/html

Facial Recognition May Not be Secure for Long!

Facial recognition has been struggling for some time to be accepted as a mainstream biometric. Apple’s latest generation iPhoneis shifting away from fingerprint scanning and may introduce large numbers of consumers to facial recognition to unlock their most personal device. But history has shown that attackers aren’t ever very far behind, especially with using images of a person’s face for authentication. Will the new advances outpace the threats and establish a strong beachhead for widespread use or will facial recognition again fail to deliver long-term sustainable security for users?

Face as a Password
Facial recognition is one of dozens of different possible biometric measures to use as a means for identifying and authenticating users. By far, fingerprint has been the preferred choice over the past several years, with many of the most popular smartphones integrating a fingerprint scanner for easier unlocking.

Facial recognition has been tried in the past, but the results were not impressive. The failure rate for users resulted in a need to tune down the criteria to the point that it was simply not very secure. Then there is the growing problem of people’s images appearing everywhere. The world has been flooded with cameras and the fondness to share pictures. Social media and search engines are fertile grounds to locate high resolution pictures of just about anyone. Simple face matching for authentication was obsolete before it reached the open market.

Secure at First Glance
Several years ago, I was in a conference room at work and as people were slowly sauntering in for an upcoming meeting. I sat down next to a senior manager who was playing with a new digital tablet. He gleefully told me it was an unreleased prototype from one of the big tech vendors in Asia. He exclaimed it sported facial recognition login for “total security”. He was keen on showing off this latest technology, so he locked the device then held it up to his face so the camera could see him. After a few moments, it automatically unlocked. He was brimming with pride and turned toward me to showcase this revolutionary security capability that he was sure would change the industry.

Just at that moment I took a quick picture of his face with my phone. I asked him to lock his new tablet and then he handed it over to me. I pulled up his picture on my phone and placed it in front of the camera. I had to shift it closer a bit before it unlocked.

His face went pale with astonishment. It was as if I had robbed him of all joy. I handed it back to him and said, “perhaps not totally secure”.

This was a case of a consumer believing marketing claims and only witnessing the supporting information. But there was not any opposition to round out his opinion. To him, the technology worked as stated, therefore he assumed that the claim of security was true as well. He abruptly learned that technology function alone does not equate to protection, as attackers also use it to their advantage.

Facial recognition has had a difficult time in fending off researchers and attackers who look to undermine the security. History paints a grim picture. As new technology was introduced, the opponents quickly adapted and found simple ways to again undermine the trust and confidence.

Unlike other types of biometrics, face based authentication has several unique challenges. With the readily available source material, repository pictures or the ability to take a picture of someone’s face, the base biometric is known to the attacker. The security controls tend to rely in the processing and analysis of the data. The problem is once a hack is discovered it likely can be reproduced to work on any system. Therefore, break it once and it can be applied to fail everywhere.

Originally, first generation facial recognition focused on a static mapping of an image. It was soon defeated by headshot images of the subject that were presented to the camera. Printouts or digital images on a smartphone were sufficient to fool the algorithms.

The second generation featured the ability to detect ‘live sensing’. Essentially it looked for minor movements and the blinking of the eyes that static pictures lacked. The very first hacks were crude and amusing. Pictures printed out on photo paper with the eyes cut out. Researchers then wore the pictures like masks, showing their eyes in the cutouts. More sophisticated coders created overlays to digital images which painted in slight movements and eye blinks. This was similar to the video chat overlays we see today that paint makeup, dog noses, and other novelties in real-time. The easiest hack was simply to video the victim’s face for a few seconds and replay it to the sensor.

Third generation attempted to create a pseudo 3-dimensional model from a single camera. By using algorithms, a series of 2 dimensional pictures were stitched into a 3-dimensional model that could be measured. As it turns out, the direct reverse-engineering of this process resulted in successful compromises. Again, by taking a short video of the persons face and replaying to the camera gave it what it needed. More artistic adversaries created actual 3D masks and models which also proved successful, although time consuming and not very practical.

We are now entering into the fourth generation where dual cameras provide true stereo vision. This is a great leap forward but the physics of looking at light bouncing off of images through a lens still remain. It is possible to undermine such dual-camera setups, but it is significantly more difficult as both cameras must be fooled in coordination. The base technology is already heavily explored. Consider simple 3D goggles where the binocular vision of humans is fooled into perceiving depth while looking at 2-dimensional screens. The same fundamentals can be applied to defeat a stereoscopic setup. Even research in photo lithography is applicable.

The question will be if it is too difficult and problematic for attackers to leverage. Then again, if someone figures out a way once, it likely could be implemented into a system for widespread use. One thing is for certain, the battle continues, as advances in technology are trying to stay one step ahead of potentially exploitable vulnerabilities.
Part 2 - Facial Recognition May Not be Secure for Long

Turning a flat picture into a three-dimensional model is just math. Once the algorithms are figured out, it can be made available for widespread use. For example, researchers at the University of Nottingham released an online demonstration that anyone can use. Submit a face picture and it will create a 3D model for you. It is not perfect, but showcases the early work in this space.

Challenges of Facial Recognition
The weakness of facial recognition comes from the fact it is making a validation of what it visually detects. Basically, what it can see. This is problematic as attackers can use the limited focal plane of the camera to present whatever they want. The physics remain a persistent problem for image based authentication. It is easy to recreate recorded images, video, etc. with modern displays, to match what the system will expect. The advent of multiple cameras and the potential overlay of infrared signature, may shift such attacks from easy to much more difficult.

Bringing more types of sensors to the party can improve the overall comprehensiveness. Apple has incorporated an infrared camera, proximity sensor, and a dot projector as part of their iPhone X release. This comprehensiveness introduces more complexity which increases the challenges for adversaries but can also impact usability. Additionally, complexity in technology is a breeding ground for more vulnerabilities. So, more is not always better.

Biometric Options
There are other choices. Fingerprint, iris, voice, heartbeat, and a plethora of other biometrics are being explored as viable authentication measures. Although many other biometrics don’t suffer from the challenges inherent to facial recognition, they too each have their own unique strengths and weaknesses. There is no clear winner yet.

Facial recognition may not be a panacea, it is still far better than no authentication or default passwords/codes. The shift this year to replace the fingerprint scanning with facial recognition in the iPhone may raise the stakes.

The recent iPhone X demo went awry at first, but also showcased how fast the face-scan can be, at presumably the lowest security setting.


I predict if it proves sufficiently secure it will be here to stay. However, if it is weak or vulnerable, it will be quickly replaced with newer generation fingerprint scanners that can preserve aesthetics by working through the display glass and not requiring a separate button sensor.

The Future is Uncertain
Using our publicly accessible faces for security authentication may not be the best path forward. Technology is providing both the capabilities as well as undermining them. Time will tell.

As for me, I will stick with my fingerprint scanning phone. At least I have a much better chance of keeping my fingerprints more private and secure. It is not perfect, but the technology has proven solid and relatively secure in real world settings. Until tested reliable, I will not hastily jump into facial recognition. It may be suitable for low risk authentications, but I hold too much data on my phone to accept the unknown risks. Of all the different biometrics, I have only ever considered two to be plausible in finding the right balance of security, usability, and costs. My favorites are still fingerprint and iris scans, for local-only authentication. Call me paranoid, but that is my job.

I do hope Apple has found a way to also attain an optimal balance. If any company out there can thread this needle, it is Apple.

Interested in more? Follow me on LinkedIn, Twitter (@Matt_Rosenquist), Information Security Strategy, and Steemit to hear insights and what is going on in cybersecurity.