Android supports using facial recognition for unlocking your phone. How secure is that mechanism?
For instance, if someone has a good quality picture of your face, can they defeat the facial recognition scheme by holding up the picture to the phone? Does the Android mechanism include any method of testing "liveness" (i.e., that there is a live person present, not just a picture of the person)?
I remember seeing a rump session talk that described an attack on the Android facial recognition unlock. The attack worked by starting a picture of the user's face. Then they made a copy of the picture and used Paint to alter it so the user's eyes appeared to be closed (by painting skin color over the eyes to simulate eyelids closed). Finally, they displayed these images on a computer screen, alternating between them in a sequence designed to look like the person was blinking, and pointed the phone at the computer screen. If I understand correctly, this was intended to defeat some liveness test (where the phone detects liveness based upon blinking). The speakers claimed that this attack worked, but I don't remember any more details. Does this attack still work (if it ever did) on Android phones? Or, are there other known attacks?
Here's what I've read so far. Ice Cream Sandwich (Android 4.0) introduced FaceLock. Jelly Bean (Android 4.1.1) introduced a "Liveness Check", which checks for your eyes to blink. I've found claims that without Liveness Check, FaceLook can be bypassed by holding up a static picture and that the Liveness Check can be defeated through the trick outlined above. (Here's a video showing the attack.) Does this still work? Are there any other threats to be worried about?