We're always hearing about how the traditional password is deeply flawed – particularly when people regularly pick the most idiotic passwords possible – but biometric alternatives have their problems too, and facial recognition is the latest security mechanism to come under fire.
Over at the recent Usenix security conference in Austin, Texas, security researchers from the University of North Carolina showed off a system which defeated facial recognition software the vast majority of the time.
The researchers combed the web for images of the volunteer victims whose security they were trying to unlock – grabbing them from the likes of social media sites – and used these multiple pictures to build a 3D facial model of the person in question, tinkering with bits and pieces such as the subject's expression and gaze correction (i.e. getting the model to 'look' at the camera).
This 3D model was then pitted against five facial recognition systems – KeyLemon, Mobius, TrueKey, BioID and 1D – and managed to fool four of them, boasting a success rate of from 55% to up to 85%. The researchers also took proper indoor head shots of the subjects and these were able to successfully fool all five systems in every instance.
As Wired, which highlighted this experiment, reports, the latter has been done before, but combing the web for multiple images to build a model from hasn't previously been tested – and this is a worrying development, as generally speaking, there are photos of everyone to be had online.
Indeed, when it came to the subjects for this experiment, the UNC team found between three and 27 photos of each volunteer – and many of these were computer science researchers of one form or another themselves, so they're pretty tech savvy and privacy conscious.
It didn't matter that some of the images found were pretty poor or low resolution, as the researchers were able to work around this and do things such as extrapolating realistic textures for parts of the face not visible in any particular photo.
As the researchers note, facial recognition systems really need to incorporate extra measures beyond just a simple camera – for example, infrared tech to be able to detect that it's a real person in front of the camera and not just a model of some kind.
True Price, one of the authors of the UNC study, told Wired: "Some vendors – most notably Microsoft with its Windows Hello software – already have commercial solutions that leverage alternative hardware. However, there is always a cost-benefit to adding hardware, and hardware vendors will need to decide whether there is enough demand from and benefit for consumers to add specialised components like IR cameras or structured light projectors."
- It's clear enough, however, that we'd all rather use our bodies than passwords