78

I found that this guy uploaded some face recognition code with a comment that he'd like to use it "as a security feature". This got me thinking; is face recognition a valid security feature, or is it "cool", but not very effective way to secure something?

Community
  • 1
MatthewRock
  • 918
  • 1
  • 6
  • 9
  • 14
    It depends. For authentication rather not yet with current technology. For monitoring yes. – Aria Sep 06 '16 at 12:13
  • Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/45101/discussion-on-question-by-matthewrock-is-face-recognition-a-good-security-featur). – Rory Alsop Sep 08 '16 at 14:57
  • Secure? Authenticate long jet black hair, steam punk waxed out mustache, Amish neck beard, Korn style black contacts, 90's gauged ear lobes, giant tribal African lip disk, and lack of teeth. Then let me in when i "clean up" and put in the dentures. – dhaupin Sep 08 '16 at 15:52
  • 2
    In the past I have fooled multiple types of biometrics, but not anymore. I work directly with the team at Microsoft that handles facial recognition, for Windows 10. The new version MS uses detects enough differences a pair of twins to lock each other out. It can see the ridges in your skin. They have yet to have one successful attack. Mind you I am ONLY talking about the Surface Pro 4 and Surface Book. I use it all the time as an IT Pro. – ZaxLofful Sep 08 '16 at 23:10
  • 10
    @Lofful So if you have any damage to your face, do you get locked out of your device? (ie. bruises, cuts, plastic surgery). – The Wandering Coder Sep 09 '16 at 05:15
  • 3
    @Lofful: your reward for working with Microsoft is that 99 people upvoted tim's answer that says you're lying (or wrong) about the false positive rate ;-) – Steve Jessop Sep 09 '16 at 08:26
  • 1
    I'm not sure if this has been improved with Windows 10, but in windows 8 it's particularly easy to get past facial recognition if the user used their face for their account's picture. I was able to take a picture of the lock screen and show it to the webcam to get past the facial recognition stage very easily. – jrh Sep 09 '16 at 15:23
  • 1
    If your face is your "password," then you are basically broadcasting your "password" to everyone who sees you! – Michael Yaeger Sep 09 '16 at 17:07
  • @TheWanderingCoder Nope :) The facial recognition requires that you use a PIN number first. So you can never be locked out. It also still allows password. It just makes it easier to login. – ZaxLofful Sep 09 '16 at 18:04
  • 1
    @SteveJessop Tim has a well thought out argument that does in fact have merit if we are talking about anything EXCEPT what I mentioned. Which is why I put it as a comment and not an answer.I was very specific in stating that I am ONLY talking about the new Surface Pro 4 and Surface Book. It uses infrared to map the ridges in your skin. They have tested it with twins AND pictures. – ZaxLofful Sep 09 '16 at 18:04
  • 2
    @Lofful Wouldn't that just be a PINN? – Brian Sep 09 '16 at 20:02
  • @Lofful So in other words, there is another attack vector in which to access your device. You either use a (presumably 4-6 digit) PIN and your face (which as other posters have said, seems somewhat easy to spoof) or a password (of any variant length). – The Wandering Coder Sep 12 '16 at 00:23
  • @TheWanderingCoder What attack vector are you referring to specifically? You listed every type of login that you can currently use. If password, PIN, and biometrics aren't good enough for you....What do you use to login? "somewhat easy to spoof" is completely wrong in this case. Once again I am referring to laser mapped biometrics. Which can't be fooled without spy grade replication of a face; it can sense your bone-structure. Everyone else is referring to the old method where a flat picture file is being used. – ZaxLofful Sep 20 '16 at 17:20

6 Answers6

130

No, not really. At least not as primary form of authentication. Biometrics in general are not good for authentication, because:

  • You leave them all over the place, and there is no way to avoid that.
  • They cannot be changed in case of a breach.
  • You need to add a high error tolerance as to not cause usability problems. These tolerances lead to false positives, even without attacks, and make attacks possible.

In practice, when implementing the algorithms, they usually have to balance between [false acceptance rate] and [false rejection rate]. This makes the efficiency of face recognition the lowest of all regarding the table. Its security is also lower than other biometric recognition system, especially compared to fingerprint scan.

Your face is NOT your password, Face Authentication ByPassing Lenovo – Asus – Toshiba (2009)

I couldn't find a live demonstration for that paper, but here is one from a 31C3 talk about biometrics, which uses a simple picture, and can bypass required blinking. Here is an article from a person using a video to bypass a blinking requirement.

Here is a more recent paper using more modern approaches:

In this paper, we introduce a novel approach to bypass modern face authentication systems. More specifically, by leveraging a handful of pictures of the target user taken from social media, we show how to create realistic, textured, 3D facial models that undermine the security of widely used face authentication solutions.

[...]

In our opinion, it is highly unlikely that robust facial authentication systems will be able to operate using solely web/mobile camera input. Given the widespread nature of high-resolution personal online photos, today’s adversaries have a goldmine of information at their disposal for synthetically creating fake face data. Moreover, even if a system is able to robustly de- tect a certain type of attack - be it using a paper printout, a 3D-printed mask, or our proposed method - generalizing to all possible attacks will increase the possibility of false rejections and therefore limit the overall usability of the system.

Virtual U: Defeating Face Liveness Detection by Building Virtual Models from Your Public Photos (2016)

Community
  • 1
tim
  • 29,018
  • 7
  • 95
  • 119
  • 11
    Yup, leaving it all over the place is definitely a huge issue +1. My favourite quote on biometrics is always: *they're kind of silly, it is like a password you cannot change* (do not know who said that first though, sorry) – grochmal Sep 06 '16 at 14:38
  • 35
    Another point that might want to be added to this answer is how biometric passwords have to change over time which would require frequent sampling of your body. Many people don't realize just how much their face, retinas, and even fingerprints change over their lifetime especially with extremely short-term changes such as scarring or other injuries. If I cut my face shaving in the morning I wouldn't want to be locked out of my laptop! – sethmlarson Sep 06 '16 at 15:02
  • 2
    This answer is pretty good but seems to overlook the critical topic of *liveness*. There's a wide range of techniques out there to try to determine whether the face in the image is a live person (not, e.g., a static photograph or video). Some are easy to fool (e.g., blinking); others might be more effective. It's an open topic of research whether there is a cost-effective, accurate way to do liveness detection that can provide adequate protection. Also, it's not clear that attacks requiring Hollywood-style 3D masks render face recognition useless; it depends on what you use them for. – D.W. Sep 06 '16 at 20:35
  • 3
    @D.W. I agree, I could have gone into more depth regarding liveness detection, but I think the last paper does a pretty good job of it. Note also that it does not use 3d masks to bypass current liveness detection, but a VR system that runs on a smart phone which is held up to the camera of the FR system. It is of course always a question what the system is used for, but my main point was that biometrics in general and face recognition specifically have fundamental weaknesses that will likely make them unsuitable as primary authentication, at least in the foreseeable future. – tim Sep 06 '16 at 21:13
  • 1
    @SethMichaelLarson Definitely. I would assume that current FR systems can deal with a simple cut, but what if you change your makeup style? Or don't wear any at the moment, but did when installing the FR system? Those are serious [usability problems](http://ieeexplore.ieee.org/document/6587752/), and in the case of FR authentication, usability and security are at odds; more usability (ie less false negatives) leads to less security (ie more false positives and attack possibilities). – tim Sep 06 '16 at 22:50
  • "You leave them all over the place" - not sure how true this is for eye scans. – Nathan Osman Sep 07 '16 at 05:15
  • 1
    @tim Don't these things end up mainly looking for eye position, nose shape, jaw structure and so on? I had the impression that things humans consider important (like skin shade) are largely uninformative to FR algos (perhaps because they can't deal with changing light levels as well as human eyes can) so they end up ignoring whole swathes of the cheeks and forehead. – Superbest Sep 07 '16 at 05:28
  • 1
    @Superbest Makeup doesn't just change the skin shade, especially contouring changes the perceived shape of the face. This can cause problems for FR systems, see eg [here](http://www.cse.msu.edu/~rossarun/pubs/DantchevaChenRossFaceCosmetics_BTAS2012.pdf) or [here](https://www.researchgate.net/publication/43199704_Influence_of_make-up_on_facial_recognition). – tim Sep 07 '16 at 08:57
  • @NathanOsman Of course you don't leave your eye (just as you don't leave your actual finger), but it is difficult to avoid images of your eye. You could of course always wear sunglasses (just as you can always were gloves or a face mask), but that seems unpractical for most people. – tim Sep 07 '16 at 09:04
  • 3
    I have hear of that hacker that was able to be able to fake finger or eye from a photo and did it to the german governement. Here is an article, it's from a newspaper not a research paper : http://www.scmagazineuk.com/starbugs-in-your-eyes-german-hacker-spoofs-iris-recognition/article/449157/ – Walfrat Sep 07 '16 at 11:41
  • "synthetically creating fake face data" I'm imagining a future attacker 3D printing people's heads using Facebook photos. This is somehow hilarious even if it's not realistic. – jpmc26 Sep 07 '16 at 16:11
  • @SethMichaelLarson And it gets much worse for girls wearing makeup. – Dmitry Grigoryev Sep 09 '16 at 10:30
  • @grochmal "like a password you can't change". True, but the theory is that you don't need to change it because it can't be stolen. – Barmar Sep 10 '16 at 07:36
  • 1
    wow..... and I know someone who has a business that is selling facial recognition security for fricking *ATM*'s... – Maltysen Sep 10 '16 at 18:19
58

It's useful as a "username"

We have a name for an authentication feature that cannot be easily changed and is occasionally shown to third parties - it's your account ID, user name, etc.

While you'd still want to use something else (e.g. a password) as the primary authentication feature, replacing the user ID with face recognition can make it more convenient (no need to enter anything) and more secure than the commonly used IDs such as user names or email addresses.

Peteris
  • 8,369
  • 1
  • 26
  • 35
  • 14
    "and more secure than the commonly used IDs such as user names or email addresses." i strongly disagree. It's easier for somebody to take a photo of my face and show it to the camera than find out my username. Also, i am in control of the exposure of my username, but (practically) i am not in control of the exposure of my head. Also i can change my username but i can't change my head. – Sharky Sep 08 '16 at 07:44
  • 1
    @Sharky masks are cheap – PyRulez Sep 11 '16 at 13:50
19

You tagged this with authentication, so I will answer from that perspective. (But as Aria points out in comments, it also has applications in surveillance.)

For face recognition to be a cool feature on Facebook it just needs to work most of the time. For it to be useful for authentication it needs to have a fail rate close to zero. Almost no false positives (even if it is a person that looks a lot like you, or someone is holding up a photograph or a 3D model of your face), and almost no false negatives (even if you lost a lot of weight or applied some make up). That is asking for a lot.

And like with all biometric authentication, you have the problem with embedding the key in your body. If you thought the bad guys cutting off your finger to get past the fingerprint scanner was bad, imagine what they would have to do to get your face...

Plus you can't change the shape of your face (short of plastic surgery) as easy as you can change a password or a physical key if it is compromised.

So this has all the problems of fingerprint readers, only much worse. It is a bad idea.

Community
  • 1
Anders
  • 64,406
  • 24
  • 178
  • 215
  • 4
    +1:especially for "... bad guys cutting off your finger to get past the fingerprint scanner was bad, imagine what they would have to do to get your face..." this reminds me of some 007 movies! :-) – Lorenzo Donati support Ukraine Sep 09 '16 at 04:28
  • 1
    What should be reminded here additionnally is that you can be physically forced to show your eye/put your finger while with a password, if you are ready to die and train to torture, nothing can be done. – Xavier59 Aug 29 '18 at 23:30
4

There have been some good answers provided already. Probably the key point is that it depends on your risk profile. In some situations, facial recognition may be convenient control which is adequately effective for that particular situation, but for many other situations you will need to include it with other controls before it will provide an adequate level of protection. For example, I might decide that facial recognition is fine on my home computer or it might be adequate for my screensaver lock, but it is not sufficient for an initial login or on my computer in the open plan office at work etc.

The other important point to note is that there is considerable variation in the accuracy and reliability of different facial recognition systems. For example, people have shown that many of the implementations on some lower end mobile devices have vary broad matching parameters which can easily be fooled by either a photo or someone who looks 'similar'.

As with nearly all security controls, questions like "Is X secure" are generally the wrong question. Security needs to be assessed within the target context. What your are seeking is an adequate balance between risk of a compromise and convenience. Once you have identified what controls are appropriate, you then need to assess how effective the implementation of the selected controls are. If you have assessed that in a specific situation, facial recognition would be appropriate, you then assess that the facial recognition solution implemented performs within acceptable parameters.

Tim X
  • 3,242
  • 13
  • 13
1

It depends on your definition of security. For example it is certainly can be used as a security feature if nobody knows about it and the cam hiddenly compares faces of men signing in with the faces bound to acc and warns men responsible for security about mismatches. But it is security through obscurity and if an attacker knows about it it will use simple or complicated means of bypassing s.a. showing a picture or wearing a facial mask. The same about fingerprints and iris scanners. Most of biometric stuff for authentication purposes works only in supervised setting when a men stands nearby and detects cheaters with his eyes, brain and experience, such as border control, street surveillance (if the ones wearing masks or avoiding cameras or behaving differrent are stopped by police) or profiling criminals. So for auth. purposes in unsuperwised setting it is only good to impress 5yr-old children.

KOLANICH
  • 892
  • 6
  • 14
0

No. One could simply replace the camera with a device responding with a video of the person's face. And you leave your face everywhere.

Or run the system in a VM and connect a virtual driver with data collected from a camera of your face.

Using this as the only security measure is highly insecure and should never be used. Maybe it would work well in a two-factor authentication scheme, but never alone.

noɥʇʎԀʎzɐɹƆ
  • 416
  • 1
  • 3
  • 15
  • 3
    If you allow to change hardware and even the operating system of a security system, I don't think you can still create a secure system. The video does not work out of the box if the system tells you how to move your head – FooBar Sep 07 '16 at 07:04
  • @FooBar Then simply break through the wall with a sledgehammer wall/door if you are not allowed to. I'm talking about cryptographic security. – noɥʇʎԀʎzɐɹƆ Sep 07 '16 at 21:18
  • Do you know a system that still would be safe if it is run within an attackers VM? – FooBar Sep 08 '16 at 08:21