Security Review: Face Recognition Software
According to an article, Toshiba is producing PC’s that come with not only fingerprint readers but facial recognition software. The software uses a webcam built into the PC in order to identify the user. This software is designed so only the user can use their own computer and so that if the user would like to save passwords they can feel secure by only unlocking their passwords via the fingerprinting or facial analysis. While I can see how this might seem extremely convenient and much more secure than when people just autosave their passwords (sometimes the biggest security flaw is our own laziness), it seems to me that this software could present security issues both in the sense of Denial of Service as well as with false authentication. The article also seems aware of these flaws stating, “It is important to note that both fingerprint and face-recognition technologies are not foolproof–there are a number of known, low-tech means of circumventing them.”
Assets and Security Goals
- The main goal of the facial recognition software is to provide security. You are the only person who should be able to use your machine since it will uniquely recognize your face.
- The main asset is the ease and practicality provided because a user no longer has to type in their passwords or even really remember them.
Adversaries and Threats
- Someone who might want access to your personal information or files could potentially use a photograph of you and hold it to the camera depending on the sensitivity of the software
- Another possible adversary could be family members, again depending on the sensitivity of the software if a family member (such as a sibling or better yet a twin) wanted to use your computer they might have similar enough features to beat the cameras.
Potential Weaknesses
- Social networking sites could present a weakness if the software had a low enough sensitivity thrushold that an adversary would really only need a photograph.
- Many of the other weaknesses involve the opposite problem if the software is too sensitive a user might be denied service because of a haircut, surgery or injury, or aging (although it is likely that a user wouldn’t have a computer so long that they would look dramatically different from aging, it is still a possibility.
Defenses
- Having both the fingerprint analysis and the facial recognition software makes the PC somewhat more secure than using just one or the other.
- The software would have to be fairly sensitive in order to prevent a photograph from being used but it could also update the image that it recognizes after each successful recognition in that way it code avoid not recognizing a user due to age.
It seems likely that the sensitivity could reach a good balance so that it could recognize the difference between a picture and a human being, however in the cases where too humans look indistinguishably similar to the human eye (such as a twin) I doubt a camera will ever be able to tell the difference. Considering the likelihood that a user has a malicious twin, I doubt this is much of a concern.
Since the overall goal of the software appears to be to make the user more secure and the more secondary goal is to make life a little easier, I think the software would be more useful if it used the software to either allow or disallow you to enter a password. In that way it would actually provide another layer of security as opposed to a potential hole.