Ice Cream Sandwich's Facial Unlock: Security Theater, Not Security-Conscious - InformationWeek
IoT
IoT
Mobile // Mobile Devices
Commentary
12/16/2011
07:47 AM
Serdar Yegulalp
Serdar Yegulalp
Commentary
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Ice Cream Sandwich's Facial Unlock: Security Theater, Not Security-Conscious

Don't rely on unproven biometrics in a bring-your-own-device world.

Android 4.0 ("Ice Cream Sandwich") sports a new feature which, on the face of it (pun intended), sounds like a handy timesaver. The phone can use a front-facing camera and facial recognition to unlock if it recognizes a given person is holding the phone. It's also ridiculously easy to defeat. Independent tests show it's possible to fool the facial-unlock function by simply holding a picture up in front of the phone.

To be fair, it's not clear that Google ever intended the facial-unlock function to be used as a biometric on the order of a fingerprint or an iris scan. A consumer device is going to get consumer-device-level security, and the quality of such things is always going to lag behind more industrial-strength solutions. All the more reason why, in a BYOD environment, unproven biometrics -- and unproven security measures in general—should be treated with utmost skepticism.

Many kinds of biometrics have become consumer-level technology, which puts them within the reach of an audience that doesn't understand how security works. My notebook has a fingerprint reader, and refuses to boot unless you give it the proper fingerprint (or a PIN). If I'm naive enough to think that alone protects me—and a lot of people do—I get what I deserve. I'd need to add full-disk encryption to that machine to get anything like real protection.

Biometrics -- whether facial recognition or fingerprints—is far from being a gimmick, but it's best thought of as one security element among many. Security pro Bruce Schneier talks about biometrics as being hard to forge, but easy to steal -- and your face is one of the easiest things in the world to steal. Who reading this doesn't have a reasonably good picture of them floating around somewhere in public? Likewise, anyone who can sit at the same dinner table or lunch counter as you can lift your fingerprints without much effort.

It's easy to think of biometric security in a vaguely magical way, and I suspect we've been in the habit of doing that for a long time. In one of Isaac Asimov's science-fiction novels, there's a moment where a character opens a capsule containing a communication that's for his eyes only. The capsule's been programmed to respond not only to his own fingerprints, but his specific way of holding and manipulating objects. The book was written decades before fingerprint readers became commonplace, but the core idea is the same: this will only open for him, and no one else.

There's ways to fix the facial unlock function to make it more useful. Schneier mentions in his piece how fingerprint readers could be programmed to prevent cheating by detecting a pulse or a pore pattern. Facial unlock, likewise, could be reprogrammed to only work if the person winks or smiles—two things a photo definitely can't do.

For those truly concerned about security, biometrics shouldn't be the only key to the door. And biometrics that have no proven track record in the real world shouldn't be anyone's idea of secure—especially not in a BYOD environment.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Video
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll