Facial recognition to replace passwords?
Remembering complex passwords could be a thing of the past if facial recognition technology takes off - but is it as secure as a password and does it work?
When Google showed off its latest operating system for smartphones in October last year, "Ice Cream Sandwich", many were excited to see a feature that allowed the ability to unlock a phone using just a user's face. But as soon as the feature was shown off, it didn't take long for people to begin to point out how insecure it was, demonstrating that holding up a picture of an authenticated user to a mobile phone's camera would allow anyone with access to a photo of that user to unlock it with ease
It begs the question: if one of the world's largest technology giant's implementation of facial recognition technology can be tricked so easily, will the idea ever take off as a secure authentication mechanism?
Some young entrepreneurs from Dublin in Ireland seem to think so. Although they are yet to publish any evidence supporting their claim, they say they plan to release about August this year technology that any website can use to enable its users to log in by presenting their face to their computer's web camera.
Co-founder of the Ireland startup named Viv.ie, Niall Paterson, is attempting to create the technology with several other friends which he hopes will "destroy" passwords.
"I was on Facebook logging in with my password which is 21 characters long and I got it wrong and I thought that there had to be a better way," said Niall, 17, in an interview yesterday. "Instead of using passwords the aim . . . will be that passwords will be eliminated and you will be able to log in just using your face.
"A web camera would take a picture of your face, analyse it, and if you've been registered already, log you in."
Security experts, however, remain sceptical over whether it would work in practice and if it would be secure enough.
Paul Ducklin, of security firm Sophos, said the primary problem with Viv.ie was that evidence of how reliable the system was relied entirely on the "unsupported claim of one of the inventors that it is 'impossible to crack'". The second problem was "whether you'd want your Facebook identity tied to your face".
Questioned on security, Niall claimed Viv.ie used the image editing software ImageMagick that could detect whether an image was 2D or 3D. "We feel that a 2D picture of a face will sort of be exposed [by the software]." A number of other security measures were also being implemented, he said, such as detecting whether the images being fed into a computer were that of a web camera or software acting as a fake video stream.
PASSWORDS 'REDUNDANT AND BANKRUPT
Australian security expert James Turner, of Intelligent Business Research Services, said the entire concept of a password, as in a series of characters that you type in via a keyboard, had "become redundant and bankrupt".
"It just doesn't work for the number of sites and resources that your typical person uses personally, and then you include corporate [resources] and it just becomes a nightmare."
The security industry was "desperately" looking for an alternative to passwords, he added, and biometrics - what facial recognition is a part of - had "caused a great deal of appeal".
One organisation he knew that used facial recognition successfully was Customs at places like Sydney's international airport, where Australian holders of electronic passports can use their passport and face to clear Customs to re-enter Australia.
The SmartGate system, according to Australia's Beyond Tomorrow, compares your passport photo with images taken by three cameras, noting such things as your bone structure, length of your nose, and the distance between your eyes.
"The technology to actually make [facial recognition] happen is developing very, very rapidly," Mr Turner said. "What we're now able to do with voice recognition is phenomenal . . . I know they're talking about putting facial recognition on laptops as one of the means for locking them."
A couple of challenges facing biometric technology, however, are what are likely to be the main reasons implementation hasn't been more wide-spread. One of the major hurdles, according to Mr Turner, included what to do when biometric data was compromised.
"I can change my fingerprint ten times and then I'm stuffed. I can change my iris once to the other eye, and then if that's compromised I've got no options [left]. [As for] my face, I don't have any options there."
He believes that if facial recognition was to become adopted by web services like Facebook or Google as an accepted log in method then it would only occur in conjunction with another factor of authentication, such as a smartphone that had a special digital certificate on it that talked with Facebook or Google to say you had authenticated with it rather than you authenticating directly via your computer's web camera. That way if your face's biometric data was ever stolen, the bad guy would also need your phone, Mr Turner said, which could be replaced even if it was stolen and have a new digital certificate installed onto it.
"The simple reality is that biometrics are a convenient form of authentication because you're carrying it with you all of the time, whether it's your voice, your face, your fingerprints or your iris."