12

I get the basics of what face recognition is and the fact that it is used to protect PC's and as a login replacement.

However, if it was to be used for encryption, where the role of the key is played by the password, what is the key used when face recognition is used? Is it hardcoded in the app used to do the face recognition, or are some parameters from the face itself used as the key?

From here.

Improve this question
5
  • Are you aware of any places where facial recognition is used to encrypt data? The only real world uses of facial recognition I can think of are for phones - and there facial recognition is used to 'unlock' rather than 'decrypt' the phone.
    – Andy Smith
    Commented Oct 3, 2012 at 9:31
  • @AndySmith I was under the impression that when a phone is locked, atleast some of the data is encrypted as well, otherwise nothing is stopping someone from taking out the memory card, or reading the data from the flash storage directly, bypassing the lock
    – Akash
    Commented Oct 3, 2012 at 9:38
  • I think you might be wrong in that assumption, as with many things, if the attacker has physical access for long enough they can do a lot of damage :). But without encryption it does provide some benefit - it would be difficult for a casual attacker to quickly access private information (texts, emails) or rack up large phone bills (though of course, they could swap the sim out if they wished!).
    – Andy Smith
    Commented Oct 3, 2012 at 9:43
  • It looks like a might be wrong on that (after @Polynomial's comment on my answer). I suspect that for Android there is no key but it looks like for Windows a fuzzy key may be used.
    – Andy Smith
    Commented Oct 3, 2012 at 11:58
  • Android protected storage requires a key to be provided, but I'm unaware of any restrictions on authentication providers. The key may well be provided statically from the authentication frontend, after the facial recognition provider gives it the go-ahead.
    – Polynomial
    Commented Oct 3, 2012 at 11:59

4 Answers 4

Reset to default
11

Most biometric authentication methods, including face recognition, need to allow for variations in the biometric. Due to this the biometric authentication process doesn't have a precise value that could simply be used as an encryption key.

To solve this problem Juels and Sudan invented the concept of a Fuzzy Vault (PDF). With a fuzzy vault:

A player Alice may place a secret value K in a fuzzy vault and "lock" it using a set A of elements from some public universe U. If Bob tries to "unlock" the vault using a set B of similar length, he obtains K only if B is close to A, i.e., only if A and B overlap substantially.

A fuzzy vault scheme for face recognition is presented in this paper by Wang and Plataniotis (PDF). I don't know if currently available face recognition software implement such a fuzzy vault scheme.

Improve this answer
6

Apart from @DavidWachtfogel's answer, which gives good information on the difficulty of deterministically turning a face into a sequence of bits, I would like to point out that your face cannot be a "key" in the cryptographic sense, because it is not secret. You literally show it to everybody in the street, and if your face was your key, then your Facebook page just revealed it to the whole world.

Face recognition systems can be defeated by showing a printed photograph of the authorized individual in front of the camera. That attack is defeated in two ways:

  • Attacker's lazyness: the attacker is not after you specifically, he just stole your phone without knowing who you are, and he did not bother to take of photo of your face (which is not that hard, since mobile phones are cameras nowadays).

  • An armed guard who controls that what you put in front of the camera is indeed your biological face, not a substitute. This makes sense when the face recognition system is for opening a security door; not for a laptop or smartphone.

Neither applies to the specific confidentiality needs of an encryption key.

Improve this answer
1

The password is simply replaced with the output from the recognition software. It's the same with finger prints; some even go as far to generate a string from the biometric attribute so that the device will work with any software.

Improve this answer
2
  • But isn't the output from the software different depending on which conditions the photo is taken? It is the output on which the face recognition algorithm is applied AFAIK.
    – Akash
    Commented Oct 3, 2012 at 9:21
  • @Akash - the output from the recognition software is necessarily an output taken from a small set of parameters derived from the biometric data. eg for a fingerprint, it may consist of the coordinates or angles of only a few key points or lines. These parameters are designed to be consistent across a wide range of conditions - to explicitly avoid the problem you mention.
    – Rory Alsop
    Commented Oct 3, 2012 at 11:19
1

Your question mistakenly assumes that facial recognition is used for encryption. When in actual fact it is only being used as a lock. Just like a pin code on an unencrypted Android phone.

So to answer your question: When facial recognition is used there is no key because it isn't used for encryption.

Improve this answer
3
  • 3
    -1. The credential manager on Windows requires that authentication providers supply a user key, so that the SAM can be decrypted. As such, facial recognition and fingerprint devices are still required to use some sort of key mechanism, e.g. fuzzy key.
    – Polynomial
    Commented Oct 3, 2012 at 11:43
  • Ah, I did not know that!
    – Andy Smith
    Commented Oct 3, 2012 at 11:57
  • 1
    @Polynomial This answer should be “When facial recognition is used there is no key because it should not be used for encryption” — Thomas's answer explains why.
    – Gilles 'SO- stop being evil'
    Commented Oct 4, 2012 at 9:35

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .