Is face recognition a good security feature?

No, not really. At least not as primary form of authentication. Biometrics in general are not good for authentication, because:

  • You leave them all over the place, and there is no way to avoid that.
  • They cannot be changed in case of a breach.
  • You need to add a high error tolerance as to not cause usability problems. These tolerances lead to false positives, even without attacks, and make attacks possible.

In practice, when implementing the algorithms, they usually have to balance between [false acceptance rate] and [false rejection rate]. This makes the efficiency of face recognition the lowest of all regarding the table. Its security is also lower than other biometric recognition system, especially compared to fingerprint scan.

— Your face is NOT your password, Face Authentication ByPassing Lenovo – Asus – Toshiba (2009)

I couldn't find a live demonstration for that paper, but here is one from a 31C3 talk about biometrics, which uses a simple picture, and can bypass required blinking. Here is an article from a person using a video to bypass a blinking requirement.

Here is a more recent paper using more modern approaches:

In this paper, we introduce a novel approach to bypass modern face authentication systems. More specifically, by leveraging a handful of pictures of the target user taken from social media, we show how to create realistic, textured, 3D facial models that undermine the security of widely used face authentication solutions.

[...]

In our opinion, it is highly unlikely that robust facial authentication systems will be able to operate using solely web/mobile camera input. Given the widespread nature of high-resolution personal online photos, today’s adversaries have a goldmine of information at their disposal for synthetically creating fake face data. Moreover, even if a system is able to robustly de- tect a certain type of attack - be it using a paper printout, a 3D-printed mask, or our proposed method - generalizing to all possible attacks will increase the possibility of false rejections and therefore limit the overall usability of the system.

— Virtual U: Defeating Face Liveness Detection by Building Virtual Models from Your Public Photos (2016)


It's useful as a "username"

We have a name for an authentication feature that cannot be easily changed and is occasionally shown to third parties - it's your account ID, user name, etc.

While you'd still want to use something else (e.g. a password) as the primary authentication feature, replacing the user ID with face recognition can make it more convenient (no need to enter anything) and more secure than the commonly used IDs such as user names or email addresses.


You tagged this with authentication, so I will answer from that perspective. (But as Aria points out in comments, it also has applications in surveillance.)

For face recognition to be a cool feature on Facebook it just needs to work most of the time. For it to be useful for authentication it needs to have a fail rate close to zero. Almost no false positives (even if it is a person that looks a lot like you, or someone is holding up a photograph or a 3D model of your face), and almost no false negatives (even if you lost a lot of weight or applied some make up). That is asking for a lot.

And like with all biometric authentication, you have the problem with embedding the key in your body. If you thought the bad guys cutting off your finger to get past the fingerprint scanner was bad, imagine what they would have to do to get your face...

Plus you can't change the shape of your face (short of plastic surgery) as easy as you can change a password or a physical key if it is compromised.

So this has all the problems of fingerprint readers, only much worse. It is a bad idea.

Tags:

Authentication

Biometrics

Recent Posts