20

Android supports using facial recognition for unlocking your phone. How secure is that mechanism?

For instance, if someone has a good quality picture of your face, can they defeat the facial recognition scheme by holding up the picture to the phone? Does the Android mechanism include any method of testing "liveness" (i.e., that there is a live person present, not just a picture of the person)?

I remember seeing a rump session talk that described an attack on the Android facial recognition unlock. The attack worked by starting a picture of the user's face. Then they made a copy of the picture and used Paint to alter it so the user's eyes appeared to be closed (by painting skin color over the eyes to simulate eyelids closed). Finally, they displayed these images on a computer screen, alternating between them in a sequence designed to look like the person was blinking, and pointed the phone at the computer screen. If I understand correctly, this was intended to defeat some liveness test (where the phone detects liveness based upon blinking). The speakers claimed that this attack worked, but I don't remember any more details. Does this attack still work (if it ever did) on Android phones? Or, are there other known attacks?


Here's what I've read so far. Ice Cream Sandwich (Android 4.0) introduced FaceLock. Jelly Bean (Android 4.1.1) introduced a "Liveness Check", which checks for your eyes to blink. I've found claims that without Liveness Check, FaceLook can be bypassed by holding up a static picture and that the Liveness Check can be defeated through the trick outlined above. (Here's a video showing the attack.) Does this still work? Are there any other threats to be worried about?

D.W.
  • 98,420
  • 30
  • 267
  • 572
  • 2
    I don't know what version or phone that was anymore, but we played around some weeks ago with a regular photo displayed on a second smartphone. It unlocked with no problem. – Flo Oct 14 '13 at 07:06
  • 3
    It is not very secure if you have a twin... – Chris Dale Oct 15 '13 at 19:06
  • It is much less if you let some of your nice pictures on Facebook (compare probabilities). I won't break it by creating your twin ;). – dan Oct 16 '13 at 10:31

3 Answers3

14

You've already done enough research to see that facial recognition on android is easily circumvented. I've read (although I cannot find the link now) that researchers were able to defeat it by using picture of a similar looking person, not even the actual person. When you think about it expecting facial recognition to work on a device with limited resources, and when it's expected to work in a fraction of a second, is a tall order. I'm sure it will eventually get there, but for now it isn't strong.

I do think that before you rule it out completely you should consider what it is you are trying to protect. Most phones are stolen for the express purpose of being sold on the black market and not for the information on them. Most get wiped without anyone even attempting to get data off them. Given that a thief would need to somehow obtain a quality picture of their victim in the correct pose in order to be able to unlock the phone it seems likely that facial recognition would be "good enough" security for many people as it raises the difficulty bar sufficiently.

If an attacker really wants access to someone's phone and has the time and resources to get a picture of the owner, facial recognition isn't going to prevent access. So if you have information on your phone that someone would really want, or have a duty of care to protect the information on it then don't use facial recognition. If your phone has nothing of interest then why not use it?

GdD
  • 17,291
  • 2
  • 41
  • 63
  • if the attacker has time and resources then he'll hack the memory and bypass the facial recognition entirely – ratchet freak Oct 14 '13 at 10:52
  • Sure, if a skilled attacker gets physical access to your phone there's all sorts of ways in. Facial recognition would lower the bar considerably though, anyone who can print out a picture from facebook or linkedIn could give it a try. – GdD Oct 14 '13 at 11:49
  • Yes you would actually need to make the image blink; You can point the device's front facing camera to a computer screen with an image animation of the victim blinking, which should unlock the phone, as the face unlock waits for the person to blink to make sure it's actually a human – BrownEyes Oct 15 '13 at 06:58
  • So, probably a little useful against simple street thieves, but not secure if someone you know wants to get some data off your phone. – Munim Oct 21 '13 at 06:07
3

Facial recognition is frankly overrated. It's something of a throwback to Hollywood.

For me the major weaknesses are:

  • Many forms, as noted, can be defeated by static pictures
  • Even forms which check for blinking can sometimes fail to a well prepared video generated from a static image
  • Forms which secure against both static images and video are slow to authenticate, which would be very unsuitable for consumer electronics like Android devices.
  • It's a bit too easy to force someone to unlock (eg., using a video call), so unsuitable for high security applications.
  • It doesn't allow any easy route to a duress access system, whereas a duress password, pin etc. are all comparatively easy to implement.

For me, it's a nice gimmick on a phone, but it's all a bit "My voice is my passport, verify me" style security - a bit romanticised, and shouldn't be overestimated. It's a low security option at best.

It might, however, form a nice extra factor for authentication, if considered well for whatever application. Like everything in security, it's a matter of the right solution for the right problem. I wouldn't secure my house with it, but I might secure my fridge with it ;)

Jens Erat
  • 23,446
  • 12
  • 72
  • 96
Owen
  • 1,066
  • 5
  • 9
1

Android's facial recognition is more secure than the famous

1234
0000
...

passwords.

It is weaker than any other form of 4 positions number passwords.

Moreover, it is a major risk because it amplify the already public exposition of a personnal picture, hence creating a larger attack surface (where it was not vital at all: Facebook is a leader in this field). Hence, as all biometric technics, this is a
risk improvment.

dan
  • 3,033
  • 14
  • 34