Privacy Central

Facial Recognition is Bad for Security
Privacy15 Sep 2017 5 mins read

Facial Recognition? We'll Stick to a Passcode, Thanks

Facial recognition for device security has stepped into the spotlight with the launch of the iPhone X. Despite the convenience factor, there are significant security question marks about using the technology in this way.

Ben Dickson
Ben DicksonTech Blogger

After the mixed success of fingerprint scanners, facial recognition seems to be the new fad for unlocking mobile devices. Every major smartphone manufacturer wants to jump on the bandwagon. Samsung added it to its S8 line of devices as the first option to protect your phone. Apple made an even bolder move with its new flagship iPhone X device, ditching Touch ID, its fingerprint scanning technology, for Face ID, its facial recognition authenticator.

To be fair, facial recognition has some notable advantages when it comes to ease of use. Instead of typing in a passcode or pressing your greasy fingers against a scanner, all you need to do is show your face to your phone and it’ll magically unlock itself (if you have the right face, of course).

But more convenient does not necessarily mean more secure. In fact, in most cases, it’s quite the opposite. There are many ways that face authentication can go wrong, and in some cases, you’ll have even less control on the situation than you do with a password or your fingerprints.

For starters, spoofing is a concern that applies to all forms of biometric authentication, and facial recognition is no exception. Fingerprint scanners, including Apple’s own Touch ID, have been circumvented before with fake replications. In the case of facial recognition, the data is even easier to obtain. With every smartphone possessing a HD camera, capturing a detailed picture of your face is a no-brainer, if it’s not already available on your Facebook profile.

More affordable devices will be more vulnerable than the sophisticated iPhone X with its $999 price tag

Manufacturers are taking specific measures to make it harder to circumvention facial authentication. Iris and pupillary scan, blink and liveness detection, 3D visage mapping and infrared depth maps of the face are some of the techniques that improve the accuracy of face detection and help protect the authentication mechanism against spoofing methods.

However, those are technologies are only available on high-end devices, which makes it out of reach for most users. And apparently, not all of those devices are working perfectly. In fact, someone was able to bypass the face lock of the Samsung Galaxy S8 by using a photo. The company later updated the phone’s software to make it more secure and resilient to spoofing. Unsurprisingly, if you opt to use Samsung’s facial recognition option, it’ll warn you that the technology is not as secure as fingerprints or passcodes, and does not allow it as an option for Samsung Pay approval or Secure Folder access.

There are other flaws that can make such technologies fail. Hats, scarves or other objects you wear can throw off a facial detector, and infrared scanners can be eclipsed when used in bright light, making their use limited in sunny outdoor settings.

All that said, like your fingerprints, you can’t change your face, and once its security is breached, there’s little you can do about it. As one cybersecurity expert put it, “It’s like setting your password to ‘password’ then tattooing it on your forehead.”

Technicalities aside, there are other ways face recognition can be broken. While a password is something that is embedded deep in your head, your biometric traits exist on the surface of your body, making it available to law enforcement, criminals and anyone else who can get you to look at your phone to unlock it. Where government agencies are concerned, you’re at the mercy of law. In 2014, the U.S. Supreme Court ruled that cops must present a warrant before searching phones. But that same law has a flaw that allows border authorities to compel you to unlock your phone at their will, something that is much easier to do when your password is, well, printed on your face. As for authoritarian regimes, I’m not sure how much they’re willing to honor your rights when they need to get into your phone.

Facial recognition won’t give you the legal protection of a passcode, which is covered by the 5th Amendment.

And there are always the privacy concerns that are associated with companies that collect your data. By some accounts, Apple’s Face ID works in an always-listening mode. This means you just have to show your face to the device to unlock it. No button-press required. This makes it a little bit simpler to unlock your phone, but it also means that your phone is always recording what it sees through its camera. What it does with it is an open question, but we’ve already seen Amazon Echo’s always-listening mode cause troubles for its users. And in this case, it’s not a gadget that that rests on the counter in your home—it’s a very personal device that you carry everywhere with you.

There’s also the question of where all this data will be stored and who will have access to it. To be sure, if you’ve been on social media networks in the past few years, your face is not private. However, as these technologies evolve, they will generate additional data that can’t be obtained from your Facebook profile. The storage and access mechanisms of this data has to be very clear, because parties with intentions that are not commendable will be after it. This could be for-profit organizations that thrive on data-driven business models or scammers that wish to drain your bank account.

But it can very well be government agencies. We’re living in an era where advances in facial recognition technology has become a major source of privacy concerns. Governments are using the technology for surveillance purposes in ways that were inconceivable before. Every new bit of data that you generate can make you more vulnerable, especially if it’s stored on the back-end server of a tech corporation.

All this said, this is not meant to dissuade you from using face recognition. The technology is great, and hopefully, it will someday become a reliable mechanism for true authentication. But until the kinks are ironed out, it should be used as a second factor authentication mechanism, not as the main method to protect your most sensitive information.

I’m not a big fan of passwords, but I know that iPhone’s PIN codes have a proven track record of being very secure. So for the moment, I’ll be sticking to good old passwords. I suggest you do so as well.