Ice Cream Sandwich's Facial Unlock: Security Theater, Not Security-Conscious - InformationWeek
Mobile // Mobile Devices
07:47 AM
Serdar Yegulalp
Serdar Yegulalp
Connect Directly

Ice Cream Sandwich's Facial Unlock: Security Theater, Not Security-Conscious

Don't rely on unproven biometrics in a bring-your-own-device world.

Android 4.0 ("Ice Cream Sandwich") sports a new feature which, on the face of it (pun intended), sounds like a handy timesaver. The phone can use a front-facing camera and facial recognition to unlock if it recognizes a given person is holding the phone. It's also ridiculously easy to defeat. Independent tests show it's possible to fool the facial-unlock function by simply holding a picture up in front of the phone.

To be fair, it's not clear that Google ever intended the facial-unlock function to be used as a biometric on the order of a fingerprint or an iris scan. A consumer device is going to get consumer-device-level security, and the quality of such things is always going to lag behind more industrial-strength solutions. All the more reason why, in a BYOD environment, unproven biometrics -- and unproven security measures in general—should be treated with utmost skepticism.

Many kinds of biometrics have become consumer-level technology, which puts them within the reach of an audience that doesn't understand how security works. My notebook has a fingerprint reader, and refuses to boot unless you give it the proper fingerprint (or a PIN). If I'm naive enough to think that alone protects me—and a lot of people do—I get what I deserve. I'd need to add full-disk encryption to that machine to get anything like real protection.

Biometrics -- whether facial recognition or fingerprints—is far from being a gimmick, but it's best thought of as one security element among many. Security pro Bruce Schneier talks about biometrics as being hard to forge, but easy to steal -- and your face is one of the easiest things in the world to steal. Who reading this doesn't have a reasonably good picture of them floating around somewhere in public? Likewise, anyone who can sit at the same dinner table or lunch counter as you can lift your fingerprints without much effort.

It's easy to think of biometric security in a vaguely magical way, and I suspect we've been in the habit of doing that for a long time. In one of Isaac Asimov's science-fiction novels, there's a moment where a character opens a capsule containing a communication that's for his eyes only. The capsule's been programmed to respond not only to his own fingerprints, but his specific way of holding and manipulating objects. The book was written decades before fingerprint readers became commonplace, but the core idea is the same: this will only open for him, and no one else.

There's ways to fix the facial unlock function to make it more useful. Schneier mentions in his piece how fingerprint readers could be programmed to prevent cheating by detecting a pulse or a pore pattern. Facial unlock, likewise, could be reprogrammed to only work if the person winks or smiles—two things a photo definitely can't do.

For those truly concerned about security, biometrics shouldn't be the only key to the door. And biometrics that have no proven track record in the real world shouldn't be anyone's idea of secure—especially not in a BYOD environment.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll