Mobile // Mobile Devices
Commentary
12/16/2011
07:47 AM
Serdar Yegulalp
Serdar Yegulalp
Commentary
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Ice Cream Sandwich's Facial Unlock: Security Theater, Not Security-Conscious

Don't rely on unproven biometrics in a bring-your-own-device world.

Android 4.0 ("Ice Cream Sandwich") sports a new feature which, on the face of it (pun intended), sounds like a handy timesaver. The phone can use a front-facing camera and facial recognition to unlock if it recognizes a given person is holding the phone. It's also ridiculously easy to defeat. Independent tests show it's possible to fool the facial-unlock function by simply holding a picture up in front of the phone.

To be fair, it's not clear that Google ever intended the facial-unlock function to be used as a biometric on the order of a fingerprint or an iris scan. A consumer device is going to get consumer-device-level security, and the quality of such things is always going to lag behind more industrial-strength solutions. All the more reason why, in a BYOD environment, unproven biometrics -- and unproven security measures in general—should be treated with utmost skepticism.

Many kinds of biometrics have become consumer-level technology, which puts them within the reach of an audience that doesn't understand how security works. My notebook has a fingerprint reader, and refuses to boot unless you give it the proper fingerprint (or a PIN). If I'm naive enough to think that alone protects me—and a lot of people do—I get what I deserve. I'd need to add full-disk encryption to that machine to get anything like real protection.

Biometrics -- whether facial recognition or fingerprints—is far from being a gimmick, but it's best thought of as one security element among many. Security pro Bruce Schneier talks about biometrics as being hard to forge, but easy to steal -- and your face is one of the easiest things in the world to steal. Who reading this doesn't have a reasonably good picture of them floating around somewhere in public? Likewise, anyone who can sit at the same dinner table or lunch counter as you can lift your fingerprints without much effort.

It's easy to think of biometric security in a vaguely magical way, and I suspect we've been in the habit of doing that for a long time. In one of Isaac Asimov's science-fiction novels, there's a moment where a character opens a capsule containing a communication that's for his eyes only. The capsule's been programmed to respond not only to his own fingerprints, but his specific way of holding and manipulating objects. The book was written decades before fingerprint readers became commonplace, but the core idea is the same: this will only open for him, and no one else.

There's ways to fix the facial unlock function to make it more useful. Schneier mentions in his piece how fingerprint readers could be programmed to prevent cheating by detecting a pulse or a pore pattern. Facial unlock, likewise, could be reprogrammed to only work if the person winks or smiles—two things a photo definitely can't do.

For those truly concerned about security, biometrics shouldn't be the only key to the door. And biometrics that have no proven track record in the real world shouldn't be anyone's idea of secure—especially not in a BYOD environment.

Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek - September 2, 2014
Avoiding audits and vendor fines isn't enough. Take control of licensing to exact deeper software discounts and match purchasing to actual employee needs.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
In in-depth look at InformationWeek's top stories for the preceding week.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.