Category: 
they say 3D, I call the technology "3F" - fake falce, fraud
Sounds familiar? Yes, I am saying this again – biometrics is not a security solution, especially the face biometrics.
When in 2001 Tampa Airport (Tampa, Florida) was the first one to pilot the face recognition technology all the biometric scientists and developers burst in laugh. No one believed it could work. And it did not.
On January 2002 the failure was finally announced. I thought that nobody will employ face biometrics since then. However Lenovo, Asus and Toshiba decided to take a risk again and introduced face recognition software to their laptops. Nice try…
I have to admit that the idea could be brilliant. It is OK to use the face recognition if you have a camera on top of your monitor and the distance of it from your face is almost the same every time you log-on. It could be, but it is not. The face recognition technology has so many drawbacks that this “protection” can hardly be used even with home computers, not mentioning government agents, corporate executives and all those who carry any sensitive information on their laptops.
I have to say it again; - porting biometric input device to the system you are trying to secure is a bad idea. If you are developer or manufacturer you must not:
- Place a fingerprint sensor on a safe box, door lock, access control terminal, etc.
- Place a biometric input device on a laptop, should it be fingerprint, face or even iris recognition
- Place a biometric input device on a desktop computer
- Develop and manufacture biometric devices that will be placed on the desk near your computer
If you want your house to be safe you must not leave the keys near the door. Even if they say that the key is your finger, the truth is that the key in biometrics is a code, some string that is released when you are recognized. The weak link here is the word ‘recognized’. The more attempts can be done, the higher is the chance to open the stuff. By placing an input device on a secured facility, or by leaving it nearby, you offer intruders an unlimited number of attempts. They will open your door sooner or later.
But is there a solution that is safer? The answer is simple – separate the system and the biometric input and secure communication between them.
Do you want an example? No problem!
- MXI Stealth – fingerprint recognition on the USB device + SSO + remote access + more…
- Privaris – fingerprint recognition + active RFID + passive RFID + more nonsense. Expensive like hell…
All these devices are portable. They are personal. Meaning that you carry your key with you, but you are not afraid to lose it, because they need a trigger – your finger.
Of course there are more devices like this. And only you can decide if you need them. But my personal advice is – even though your laptop is equipped with some biometric “protection” – disable it. Use an external biometric device. Use portable solutions… OK, that’s too much for one day… Next time I will tell you more about portability…
Just like all security solutions - or even all software packages - it’s not the
technology concept itself that counts (as the Black Hat research would seem to
imply), but the specific implementation of that technology that really matters.
While no security solution is or ever will be perfect, it’s also true that not all
packages have the same weaknesses.
I say this from experience. I’ve actually worked at a facial recognition firm
(Sensible Vision) for several years. We’ve successfully protected PCs in security
critical organizations such as hospitals and banks - even a maximum security
prison - for years now. Our consumer platform on Dell systems (not examined in
this study - interesting, yes?) is highly photo resistant, provides other security
benefits such as locking the desktop when the user is NOT there, and - critically
- has a very easy straight forward second factor feature that all but resolves the
photo issue entirely.
Instead of denying that any vulnerabilities exist, the way to a secure system is to
minimize weaknesses as much as possible, publicize those that remain and then to
provide tools to address them.
Given enough time and access, any and all security systems are subject to being bypassed. I believe a key point that this article misses is “convenience”. For a CONSUMER system, convenience is itself a form of security. Sure, complex systems with separate parts or complex passwords are very secure….they’re also expensive, hard to use and tend to get shut off quickly. The goal with a consumer laptop is to make initial access reasonably difficult for the unauthorized user while still being as CONVENIENT as possible for the authorized person. Facial recognition allows them to have a highly complex password that’s very secure and yet remains easy to use. A system that automatically locks the desktop like FastAccess also addresses the far more mundane - YET FAR MORE LIKELY - scenario of a wide open desktop. “Hacking” a systems that’s open because someone forgot to lock it is far easier than any kind of brute force approach because it requires no time, effort or expertise at all!
Dear Darin,
Thank you for your comment. It deserves another post and not just an answer here. I promise to give a complete answer in one of my future posts.