Ice Cream Sandwich's Facial Unlock: Security Theater, Not Security-Conscious - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Mobile // Mobile Devices
Commentary
12/16/2011
07:47 AM
Serdar Yegulalp
Serdar Yegulalp
Commentary
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Ice Cream Sandwich's Facial Unlock: Security Theater, Not Security-Conscious

Don't rely on unproven biometrics in a bring-your-own-device world.

Android 4.0 ("Ice Cream Sandwich") sports a new feature which, on the face of it (pun intended), sounds like a handy timesaver. The phone can use a front-facing camera and facial recognition to unlock if it recognizes a given person is holding the phone. It's also ridiculously easy to defeat. Independent tests show it's possible to fool the facial-unlock function by simply holding a picture up in front of the phone.

To be fair, it's not clear that Google ever intended the facial-unlock function to be used as a biometric on the order of a fingerprint or an iris scan. A consumer device is going to get consumer-device-level security, and the quality of such things is always going to lag behind more industrial-strength solutions. All the more reason why, in a BYOD environment, unproven biometrics -- and unproven security measures in general—should be treated with utmost skepticism.

Many kinds of biometrics have become consumer-level technology, which puts them within the reach of an audience that doesn't understand how security works. My notebook has a fingerprint reader, and refuses to boot unless you give it the proper fingerprint (or a PIN). If I'm naive enough to think that alone protects me—and a lot of people do—I get what I deserve. I'd need to add full-disk encryption to that machine to get anything like real protection.

Biometrics -- whether facial recognition or fingerprints—is far from being a gimmick, but it's best thought of as one security element among many. Security pro Bruce Schneier talks about biometrics as being hard to forge, but easy to steal -- and your face is one of the easiest things in the world to steal. Who reading this doesn't have a reasonably good picture of them floating around somewhere in public? Likewise, anyone who can sit at the same dinner table or lunch counter as you can lift your fingerprints without much effort.

It's easy to think of biometric security in a vaguely magical way, and I suspect we've been in the habit of doing that for a long time. In one of Isaac Asimov's science-fiction novels, there's a moment where a character opens a capsule containing a communication that's for his eyes only. The capsule's been programmed to respond not only to his own fingerprints, but his specific way of holding and manipulating objects. The book was written decades before fingerprint readers became commonplace, but the core idea is the same: this will only open for him, and no one else.

There's ways to fix the facial unlock function to make it more useful. Schneier mentions in his piece how fingerprint readers could be programmed to prevent cheating by detecting a pulse or a pore pattern. Facial unlock, likewise, could be reprogrammed to only work if the person winks or smiles—two things a photo definitely can't do.

For those truly concerned about security, biometrics shouldn't be the only key to the door. And biometrics that have no proven track record in the real world shouldn't be anyone's idea of secure—especially not in a BYOD environment.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Commentary
The Best Way to Get Started with Data Analytics
John Edwards, Technology Journalist & Author,  7/8/2020
Slideshows
10 Cyberattacks on the Rise During the Pandemic
Cynthia Harvey, Freelance Journalist, InformationWeek,  6/24/2020
News
IT Trade Shows Go Virtual: Your 2020 List of Events
Jessica Davis, Senior Editor, Enterprise Apps,  5/29/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Key to Cloud Success: The Right Management
This IT Trend highlights some of the steps IT teams can take to keep their cloud environments running in a safe, efficient manner.
Slideshows
Flash Poll