I found that this guy uploaded some face recognition code with a comment that he'd like to use it "as a security feature". This got me thinking; is face recognition a valid security feature, or is it "cool", but not very effective way to secure something?
-
14It depends. For authentication rather not yet with current technology. For monitoring yes.– AriaCommented Sep 6, 2016 at 12:13
-
2In the past I have fooled multiple types of biometrics, but not anymore. I work directly with the team at Microsoft that handles facial recognition, for Windows 10. The new version MS uses detects enough differences a pair of twins to lock each other out. It can see the ridges in your skin. They have yet to have one successful attack. Mind you I am ONLY talking about the Surface Pro 4 and Surface Book. I use it all the time as an IT Pro.– ZaxLoffulCommented Sep 8, 2016 at 23:10
-
10@Lofful So if you have any damage to your face, do you get locked out of your device? (ie. bruises, cuts, plastic surgery).– The Wandering CoderCommented Sep 9, 2016 at 5:15
-
3@Lofful: your reward for working with Microsoft is that 99 people upvoted tim's answer that says you're lying (or wrong) about the false positive rate ;-)– Steve JessopCommented Sep 9, 2016 at 8:26
-
2@Lofful Wouldn't that just be a PINN?– BrianCommented Sep 9, 2016 at 20:02
|
Show 8 more comments
6 Answers
No, not really. At least not as primary form of authentication. Biometrics in general are not good for authentication, because:
- You leave them all over the place, and there is no way to avoid that.
- They cannot be changed in case of a breach.
- You need to add a high error tolerance as to not cause usability problems. These tolerances lead to false positives, even without attacks, and make attacks possible.
In practice, when implementing the algorithms, they usually have to balance between [false acceptance rate] and [false rejection rate]. This makes the efficiency of face recognition the lowest of all regarding the table. Its security is also lower than other biometric recognition system, especially compared to fingerprint scan.
— Your face is NOT your password, Face Authentication ByPassing Lenovo – Asus – Toshiba (2009)
I couldn't find a live demonstration for that paper, but here is one from a 31C3 talk about biometrics, which uses a simple picture, and can bypass required blinking. Here is an article from a person using a video to bypass a blinking requirement.
Here is a more recent paper using more modern approaches:
In this paper, we introduce a novel approach to bypass modern face authentication systems. More specifically, by leveraging a handful of pictures of the target user taken from social media, we show how to create realistic, textured, 3D facial models that undermine the security of widely used face authentication solutions.
[...]
In our opinion, it is highly unlikely that robust facial authentication systems will be able to operate using solely web/mobile camera input. Given the widespread nature of high-resolution personal online photos, today’s adversaries have a goldmine of information at their disposal for synthetically creating fake face data. Moreover, even if a system is able to robustly de- tect a certain type of attack - be it using a paper printout, a 3D-printed mask, or our proposed method - generalizing to all possible attacks will increase the possibility of false rejections and therefore limit the overall usability of the system.
-
11Yup, leaving it all over the place is definitely a huge issue +1. My favourite quote on biometrics is always: they're kind of silly, it is like a password you cannot change (do not know who said that first though, sorry)– grochmalCommented Sep 6, 2016 at 14:38
-
35Another point that might want to be added to this answer is how biometric passwords have to change over time which would require frequent sampling of your body. Many people don't realize just how much their face, retinas, and even fingerprints change over their lifetime especially with extremely short-term changes such as scarring or other injuries. If I cut my face shaving in the morning I wouldn't want to be locked out of my laptop! Commented Sep 6, 2016 at 15:02
-
2This answer is pretty good but seems to overlook the critical topic of liveness. There's a wide range of techniques out there to try to determine whether the face in the image is a live person (not, e.g., a static photograph or video). Some are easy to fool (e.g., blinking); others might be more effective. It's an open topic of research whether there is a cost-effective, accurate way to do liveness detection that can provide adequate protection. Also, it's not clear that attacks requiring Hollywood-style 3D masks render face recognition useless; it depends on what you use them for.– D.W.Commented Sep 6, 2016 at 20:35
-
3@D.W. I agree, I could have gone into more depth regarding liveness detection, but I think the last paper does a pretty good job of it. Note also that it does not use 3d masks to bypass current liveness detection, but a VR system that runs on a smart phone which is held up to the camera of the FR system. It is of course always a question what the system is used for, but my main point was that biometrics in general and face recognition specifically have fundamental weaknesses that will likely make them unsuitable as primary authentication, at least in the foreseeable future.– timCommented Sep 6, 2016 at 21:13
-
3I have hear of that hacker that was able to be able to fake finger or eye from a photo and did it to the german governement. Here is an article, it's from a newspaper not a research paper : scmagazineuk.com/…– WalfratCommented Sep 7, 2016 at 11:41
It's useful as a "username"
We have a name for an authentication feature that cannot be easily changed and is occasionally shown to third parties - it's your account ID, user name, etc.
While you'd still want to use something else (e.g. a password) as the primary authentication feature, replacing the user ID with face recognition can make it more convenient (no need to enter anything) and more secure than the commonly used IDs such as user names or email addresses.
-
14"and more secure than the commonly used IDs such as user names or email addresses." i strongly disagree. It's easier for somebody to take a photo of my face and show it to the camera than find out my username. Also, i am in control of the exposure of my username, but (practically) i am not in control of the exposure of my head. Also i can change my username but i can't change my head.– SharkyCommented Sep 8, 2016 at 7:44
-
1
You tagged this with authentication, so I will answer from that perspective. (But as Aria points out in comments, it also has applications in surveillance.)
For face recognition to be a cool feature on Facebook it just needs to work most of the time. For it to be useful for authentication it needs to have a fail rate close to zero. Almost no false positives (even if it is a person that looks a lot like you, or someone is holding up a photograph or a 3D model of your face), and almost no false negatives (even if you lost a lot of weight or applied some make up). That is asking for a lot.
And like with all biometric authentication, you have the problem with embedding the key in your body. If you thought the bad guys cutting off your finger to get past the fingerprint scanner was bad, imagine what they would have to do to get your face...
Plus you can't change the shape of your face (short of plastic surgery) as easy as you can change a password or a physical key if it is compromised.
So this has all the problems of fingerprint readers, only much worse. It is a bad idea.
-
4+1:especially for "... bad guys cutting off your finger to get past the fingerprint scanner was bad, imagine what they would have to do to get your face..." this reminds me of some 007 movies! :-) Commented Sep 9, 2016 at 4:28
-
1What should be reminded here additionnally is that you can be physically forced to show your eye/put your finger while with a password, if you are ready to die and train to torture, nothing can be done.– Xavier59Commented Aug 29, 2018 at 23:30
There have been some good answers provided already. Probably the key point is that it depends on your risk profile. In some situations, facial recognition may be convenient control which is adequately effective for that particular situation, but for many other situations you will need to include it with other controls before it will provide an adequate level of protection. For example, I might decide that facial recognition is fine on my home computer or it might be adequate for my screensaver lock, but it is not sufficient for an initial login or on my computer in the open plan office at work etc.
The other important point to note is that there is considerable variation in the accuracy and reliability of different facial recognition systems. For example, people have shown that many of the implementations on some lower end mobile devices have vary broad matching parameters which can easily be fooled by either a photo or someone who looks 'similar'.
As with nearly all security controls, questions like "Is X secure" are generally the wrong question. Security needs to be assessed within the target context. What your are seeking is an adequate balance between risk of a compromise and convenience. Once you have identified what controls are appropriate, you then need to assess how effective the implementation of the selected controls are. If you have assessed that in a specific situation, facial recognition would be appropriate, you then assess that the facial recognition solution implemented performs within acceptable parameters.
It depends on your definition of security. For example it is certainly can be used as a security feature if nobody knows about it and the cam hiddenly compares faces of men signing in with the faces bound to acc and warns men responsible for security about mismatches. But it is security through obscurity and if an attacker knows about it it will use simple or complicated means of bypassing s.a. showing a picture or wearing a facial mask. The same about fingerprints and iris scanners. Most of biometric stuff for authentication purposes works only in supervised setting when a men stands nearby and detects cheaters with his eyes, brain and experience, such as border control, street surveillance (if the ones wearing masks or avoiding cameras or behaving differrent are stopped by police) or profiling criminals. So for auth. purposes in unsuperwised setting it is only good to impress 5yr-old children.
No. One could simply replace the camera with a device responding with a video of the person's face. And you leave your face everywhere.
Or run the system in a VM and connect a virtual driver with data collected from a camera of your face.
Using this as the only security measure is highly insecure and should never be used. Maybe it would work well in a two-factor authentication scheme, but never alone.
-
3If you allow to change hardware and even the operating system of a security system, I don't think you can still create a secure system. The video does not work out of the box if the system tells you how to move your head– FooBarCommented Sep 7, 2016 at 7:04
-
@FooBar Then simply break through the wall with a sledgehammer wall/door if you are not allowed to. I'm talking about cryptographic security. Commented Sep 7, 2016 at 21:18
-
Do you know a system that still would be safe if it is run within an attackers VM?– FooBarCommented Sep 8, 2016 at 8:21