Biometrics is the process of using the human body to recognize you, and potentially log you on to your device, whether that is your smart phone, tablet, or desktop computer. Facial recognition is one type of biometics that matches the shape of your facial features to a known sets of datapoints.
The human brain is extremely good at facial recognition; we often see faces even in rocks, clouds, and other natural objects. The eyes of course, are particularly important, and all the face is used to help determine4 what the person is acdtually saying, as something like 90% of language in non-verbal.
But people can be fooled by tricks such as disguises, masks, twins. Think of all those Mission Impossible movies where you have seen Tom Cruise pull off a mask. Thus it’s no surprise that even as computer vision evolves, new attacks will also trick facial recognition systems. Researchers have recenlty shown a particularly disturbing new method of stealing a face that is based on 3D rendering and some light Internet stalking.
Just this year, at Usenix security conference in Austin (https://www.usenix.org/conference/usenixsecurity16), security and computer vision specialists from the U.N.C. presented a system that uses 3D digital facial models based on publicly available photos and displayed with mobile virtual reality technology to overcome facial recognition systems. A visual-reality-style face, rendered in 3D, gives the motion and depth cues that a security system is generally checking for. The researchers used a VR system shown on a smartphone’s screen for its accessibility and portability.
Their attack, which successfully spoofed four of the five systems they tried, is a reminder of the problems connected with authenticating your identity with biometrics. By and large your bodily features remain constant, so if your biometric data is compromised or publicly available, it’s at risk of being recorded and exploited.
Now adays, people plaster their photos on social sites all over the web, creating further vulnerabilities. Hacks could just grab the pictures from Facebook or Instagram and use them to start an recognition attack.
The researchers tested their virtual reality face renders on five authentication commonly used systems, all of which are available from consumer software vendors like the Google Play Store and the iTunes Store. They are typically used for things like protecting data and locking smartphones.
To test the security systems, the researchers had the subjects program each one to detect their real faces. Then they showed 3-D renders of each subject to the systems to see if they would accept them. In addition to making face models from online photos, the researchers also took indoor head shots of each participant, rendered them for virtual reality, and tested these against the five systems. Using the control photos, the researchers were able to trick all five systems in every case they tested. Using the public web photos, the researchers were able to trick four of the systems with success rates from 55 to 85 percent.
Phone manufacturers are even considering adding a dedicating image-processing chip to the phone that specializes in facial recognition. Past attempts were called “Face Unlock” and “Trusted Faces”.
Most find this is still LESS SECURE than a 4 to 6 digit number you type on your phone, or one of those doodle images you draw.
Software uses “landmarks”, key points of each person’s face (such as where the note and eyes meet, the size of the mouth, etc…) The system also needed to extrapolate realistic texture for parts of the face that weren’t visible in the original photo used for the attack.
If a the first face model (built from public photos) didn’t fool the software, the researchers would try using texture data from a different photo. The last step for each face render was correcting the eyes so they appeared to look directly into the camera for authentication.
Believe it or not, the virual face must actually be animated. This is because the software looks for clues to determine that the face is alive, and not a photo. These clues include blinking, smiling, and raising eyebrows—basically authentication system checks intended to confirm that a face is alive.
As hackers advance, so will the software and technology. For example, it might actually look at the infrared spectrum of the human face, something that would be extremely difficult to replicate in a virtual face. Existing systems uses fingerprints and irises have been very secure.
It turns out that no matter what security is used, there will always be hackers. The above gives you an idea of what real researchers do to make sure that our security is protected from at least our family members, but maybe not against criminal intent.