{"id":708,"date":"2009-02-06T11:34:01","date_gmt":"2009-02-06T19:34:01","guid":{"rendered":"http:\/\/cubist.cs.washington.edu\/Security\/?p=708"},"modified":"2009-02-06T11:34:01","modified_gmt":"2009-02-06T19:34:01","slug":"security-review-face-recognition-software","status":"publish","type":"post","link":"https:\/\/secblog.cs.washington.edu\/Security\/2009\/02\/06\/security-review-face-recognition-software\/","title":{"rendered":"Security Review: Face Recognition Software"},"content":{"rendered":"<p>According to an <a href=\"http:\/\/hothardware.com\/Articles\/Toshiba_Satellite_A305S845_Notebook\/Default.aspx?page=2\">article<\/a>, Toshiba is producing PC&#8217;s that come with not only fingerprint readers but facial recognition software. The software uses a\u00a0webcam built into the PC in order to identify the user.\u00a0This software is designed so only the user can use their own computer and so that if the user would like to save passwords they can feel secure by only unlocking their passwords via the fingerprinting or facial analysis. While I can see how this might seem extremely convenient and much more secure than when people just autosave their passwords (sometimes the biggest security flaw is our own laziness), it seems to me that this software could present security issues both in the sense of Denial of Service as well as with false authentication. The article also seems aware of these flaws stating, &#8220;It is important to note that both fingerprint and face-recognition technologies are not foolproof&#8211;there are a number of known, low-tech means of circumventing them.&#8221;<\/p>\n<p><strong><span style=\"color: #333399;\">Assets and Security Goals<\/span><\/strong><\/p>\n<ul>\n<li>The main\u00a0goal of the facial recognition software is\u00a0to provide security. You are the only person who should be able to use your machine since it will uniquely recognize your face.<\/li>\n<li>The main\u00a0asset is the ease and practicality provided because a user no longer\u00a0has to type in their\u00a0passwords or even really remember them.<\/li>\n<\/ul>\n<p><strong><span style=\"color: #333399;\">Adversaries and Threats<\/span><\/strong><\/p>\n<ul>\n<li>Someone who might want access to your personal information or files could potentially use a photograph of you and hold it to the camera depending on the sensitivity of the software<\/li>\n<li>Another possible adversary could be family members, again depending on the sensitivity of the software if a family member\u00a0(such as a sibling or better yet a twin) wanted\u00a0to use your computer they might have similar\u00a0enough features to beat the cameras.<\/li>\n<\/ul>\n<p><strong><span style=\"color: #333399;\">Potential Weaknesses<\/span><\/strong><\/p>\n<ul>\n<li>Social networking sites could present a weakness if the software had a low enough sensitivity thrushold\u00a0that an adversary would really only need a photograph.<\/li>\n<li>Many of the other weaknesses involve the opposite problem if the software is too sensitive a user might be denied service because of a haircut, surgery or injury, or aging (although it is likely that a user wouldn&#8217;t have a computer so long that they would look dramatically different from aging, it is still a possibility.<\/li>\n<\/ul>\n<p><strong><span style=\"color: #333399;\">Defenses<\/span><\/strong><\/p>\n<ul>\n<li>Having both the fingerprint analysis and the facial recognition software makes the PC somewhat more secure than using just one or the other.<\/li>\n<li>The software would have to be fairly sensitive in order to prevent a photograph from being used but it could also update the image that it recognizes after each successful recognition in that way it code avoid not recognizing a user due to age.\u00a0<\/li>\n<\/ul>\n<p>It seems likely that the sensitivity could reach a good balance so that it could recognize the difference between a picture and a human being, however in the cases where too humans look indistinguishably similar to the human eye (such as a twin) I doubt a camera will ever be able to tell the difference. Considering the likelihood that a user has a malicious twin,\u00a0\u00a0I doubt this is much of a concern.<\/p>\n<p>Since the overall\u00a0goal of the software appears to be to make the\u00a0user more secure and the\u00a0more secondary goal is to\u00a0make life a little easier, I think the software would be more useful if\u00a0it used the software to\u00a0either allow or disallow you to enter a password. In that way it would\u00a0actually provide another layer of\u00a0security as opposed to a potential hole.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>According to an article, Toshiba is producing PC&#8217;s that come with not only fingerprint readers but facial recognition software. The software uses a\u00a0webcam built into the PC in order to identify the user.\u00a0This software is designed so only the user &hellip; <a href=\"https:\/\/secblog.cs.washington.edu\/Security\/2009\/02\/06\/security-review-face-recognition-software\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":106,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-708","post","type-post","status-publish","format-standard","hentry","category-miscellaneous"],"_links":{"self":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/708","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/users\/106"}],"replies":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/comments?post=708"}],"version-history":[{"count":1,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/708\/revisions"}],"predecessor-version":[{"id":712,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/708\/revisions\/712"}],"wp:attachment":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/media?parent=708"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/categories?post=708"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/tags?post=708"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}