Researchers in Vietnam were able to hack the supposedly next big thing in data security: facial biometrics.  When companies announced working models, they claimed it was super-secure and more convenient than the use of fingerprint scanners.  And while these wouldn't replace hard disk encryption like AlertBoot when it comes to data security, it meant not having to choose, and remember, a complicated password, since your face is your password.

(Only a problem for identical twins.  Oh, the fun soap opera writers could have with this...)

Well, that dream is crushed.  According to the researchers, facial biometric technology--used by companies like Lenovo, Asus, and Toshiba--can be hacked in some very simple ways.

• Brute force - Basically, running through a lot random photographs of faces until something clicks.  It would require fiddling with lighting and shadows, though
• Using a picture of the authorized user

"No Way To Fix This Vulnerability"

 That is a direct quote.  In fact, the researchers called for the three companies mentioned above to stop using this technology as a means of giving access to computers.

But I just don't see it happening.  Life has told me that people will pay well for convenience, and what could be more convenient than a computer recognizing who you are giving you access to a computer?

The Problem With Biometrics

The ultimate problem with biometrics is that the "password" is quite public.  Unlike a password, which cannot be obtained until the day someone can read your mind, a face is quite "public": anyone can see it.  Fingerprints, although not quite as obviously, are public as well, unless you insist on wearing gloves all the time.

This means that, from the ground up, biometrics have a palpable, built-in vulnerability.

The entire idea is sort of ridiculous: security researchers will tell you that you have to keep the password secret, not flash it to everyone you come in contact with.  Hard to do that with your face.

Biometric Authentication Is Not Useless - It Can Be Part Of The Solution

I don't think it's right to say that biometric scanners shouldn't be used, though.  It seems to me that biometrics could be combined with typed passwords to create a more effective solution.  For example, what's the greatest weakness when it comes to computer encryption?  The sharing of passwords to access that computer.

However, if you have to show your face while typing in the password...well, you just easily increased your security requirements for accessing that computer.  For example, say that people freely share passwords in the workplace,...well, facial biometrics would put an end to that.  What's the use of sharing a password if the guy has to be there to begin with?

(And, I just don't see a file cabinet being filled with headshots of coworkers, just so people can access systems while someone went to grab lunch.  Or setting up a lab environment in the office so you can brute-force the thing.)

Any security researcher will tell you that you want to "layer" your security.  That is, use multiple forms of security.  A laptop computer using encryption software is great; an encrypted laptop that's in a locked office is even better.  If you want more security, chain it to a table and block the USB ports.

You can't do this forever, though.  At some stage, you'll reach a point of diminishing returns.  But at that point, chances are someone really wants the data.  And, usually, there is no way to stop such people.  (Your password or your life?)

Related Articles:
http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml;jsessionid=1TT4XOGIHD2DCQSNDLRSKHSCJUNN2JVN?articleID=213901113
http://www.dailytech.com/Hackers+Make+Short+Work+of+SuperSecure+Facial+Biometrics/article14316.htm
http://www.vnunet.com/vnunet/news/2236775/researchers-hack-facial
http://threatswatch.org/rapidrecon/2009/02/black-hat-hacker-hacks-facial/
http://www.thirdfactor.com/2009/02/16/researchers-hack-facial-biometrics