If You Think Facial Recognition Is Invincible, Think Again
Isn't technological progress a brilliant thing? Some years ago, we were watching James Bond movies, we were marveling at the clever gadgetry, and we were hoping that we'll get to use them one day. And now, a few short decades later, we can. We can, for example, now get access to tons of data stored on our phones just by looking at it. The front facing camera "looks back" at us, it "recognizes" us, and it lets us in. No annoying PIN codes or passwords to get in the way of living our James Bond dreams.
Unfortunately, things aren't as simple as that. There's a good reason for locking your phone in the first place: it's full of priceless information that you don't want to see falling into the wrong hands. Hence, before you start playing Agent 007, you have to ask a very important question.
Is facial recognition secure enough to keep my data safe, or is it just a gimmick?
It depends on who you ask. When Apple revealed Face ID with the iPhone X, users and even experts started doubting the reasons for the introduction of the technology. For many, it seemed like Apple is just trying to please its fans and shareholders by appearing one step ahead of the competition who were, for the most part, still integrating fingerprint readers into their devices.
Cupertino's people were quick to dismiss these allegations, saying that Face ID is a lot more than a marketing trick. They claimed that the probability of beating Face ID is 1 in 1,000,000 compared to 1 in 50,000 for Touch ID (Apple's fingerprint reading technology). In other words, Apple boldly claimed that by introducing Face ID, they are actually making users more secure.
People liked Apple's Face ID functionality, and Android manufacturers had no other choice but to try and introduce facial recognition in their devices as well. Unlike Apple, however, they left the fingerprint reader as an option, and they also refrained themselves from claiming that unlocking an Android device with your face is the most secure option. There's a very good reason for this.
Facial recognition on Android devices can be beaten
Last month, Forbes contributor Thomas Brewster wrote about an experiment he conducted. He bought a collection of smartphones (an iPhone X, an LG G7 ThinQ, a Samsung Note 8, a Samsung S9, and a OnePlus 6), he set up facial recognition on all of them with his own face, and he then phoned a UK 3D printing company. 96 DSLR cameras produced an accurate 3D model of Mr. Brewster's face which was converted into a 3D printed head made out of gypsum.
He tried unlocking all the phones with it, and although he had to play around with the lighting and the settings on some of them, all Android devices eventually let him in.
More recently, the Dutch Consumer Association, with the help of its international partners carried out a simpler experiment. This time, a total of 110 smartphones were tested (9 of the most recent iPhones as well as a range of Android devices). Instead of going through the trouble of 3D printing a head, however, they used a high-quality portrait photograph. The results (link in Dutch) are interesting. A total of 42 phones from manufacturers like Alcatel, Asus, BlackBerry, HTC, Huawei, Lenovo, LG, Motorola, Nokia, Samsung, Sony, and Xiaomi were fooled pretty easily. Six devices, including the LG G7 thinQ from Thomas Brewster's test, did mistake the photo for a real human, but the Dutch experts said that they had a "stricter" setting which performed better. In both experiments, the iPhones remained securely locked.
The upshot is pretty clear: if you have an Android device, you should probably know that the facial recognition you've been offered might not be as secure as you might think.
How worried should you be?
Thomas Brewster noted that the scanning and 3D printing of his head cost him £300 (about $380) which doesn't seem like a whole lot. Then again, he voluntarily had his face scanned in a specially prepared room where he stood still until the technology did its job. Obtaining an accurate 3D model of someone else's face without them knowing would probably be quite a bit more expensive.
The fact that photos are enough to fool the facial recognition of some smartphones is a lot more disconcerting. Even in such a scenario, however, we are talking about a highly motivated attacker.
If you think that there might be a highly motivated attacker targeting you, you're better off ditching the biometric authentication option altogether. Even if you use your fingerprints to unlock your phone (which, in the case of Android, appears to be a much safer option), a sophisticated enough criminal can replicate them without too much hassle. For high-value targets, sticking to the old password is the best option.
For most regular users, however, the threat isn't nearly as high. Even the simpler attacks require resources that could easily render them economically unviable if the payout isn't that great. You might not be very likely to be at the top of the attacker's hit list, but you have every right to know the risks. Thankfully, the manufacturers are kind enough to reveal them to you.
Android manufacturers know that their facial recognition technology is far from perfect
Both Thomas Brewster and the Dutch Consumer Association pointed out that most of the Android phones they tested displayed warnings, saying that the facial recognition system isn't necessarily the most secure authentication option. The text, later reiterated by spokespeople, said that for better security, users should rely on either fingerprint authentication or passwords, PIN codes, or patterns. In their own words, the system is nowhere near as good as it should be.
In light of all this, there is one question that keeps popping up: If the technology isn't that great, why is it offered at all?