Marginalia
A miscellany of musings on the tech that crosses my path
Monday 23 March 2009, 11:45 AM
Face login experiments
There is a face login system on the Toshiba Tecra R10 I’ve just reviewed. The review will appear shortly. In the mean time, here’s my take on face login. Anyone who has thought of trying this but has not yet done so might find it interesting.
I wanted to find out three things – how easy the system was to use, how well it coped with my glasses and whether I could trick it.
A little more detail on that middle point. I am a glasses wearer and have a variety of pairs of specs some with thick rims, some with thin. I very rarely wear contact lenses. I wanted to find out if the system worked regardless of glasses wearing. I decided to register my face as a wearer of thick-framed glasses and test it with thinner frames and no glasses at all.
The first time I tried to register my face it failed. I was sitting with a window behind me, bright sunlight streaming through it and onto the notebook’s screen. Consequently the contrast between me and the background was not that good. I assume this is why the software gave up.
For the second attempt I chose a position that had less backlight flooding into the camera lens. Success.
The registration process involves gentle nodding and shaking of the head at the computer. You follow the visual cues of a cartoon-like head underneath which your own face is visible, lining its eyes, nose and mouth up with your own as you copy its vertical and horizontal movements. The process takes less than a minute. There is the option of having a practice session before the real thing so you can get an idea of what is expected in the nodding and shaking department.
After successful registration and having restarted the computer a new option appears on the login screen called ‘start face recognition’. Confusingly this was in addition to a separate login for the user I’d created specially to test the system. This bypasses face recognition, requiring just the usual password.
Choosing ‘start face recognition’ pops up a new screen that instructs ‘please turn you face to the camera’ while showing a single image of what the camera sees centre screen and a whole row of images of what it has seen recently running along the bottom of the screen.
If the software likes your face you are logged in very quickly and with no need to type a password.
It all worked splendidly when I wore the glasses in which I’d done the initial registration so I tried it with and without various other pairs of glasses. It succeeded every time. I tried covering my mouth with my hand. It failed. Covering my eyes. It failed. Using a photograph of myself. It failed. Quite possibly, by logical extension, if I’d had a pair of dark glasses on, it would have failed.
I also tried logging in with the light streaming in from that window which had caused the failed recognition earlier on. It failed. It also failed outdoors in bright sunshine. So in situations like those it is back to the good old typed password.
I’d have been surprised if I had been able to fool the system with a photograph. But I was disappointed that it can’t cope when the sun is out.
PreviousComments on this post
Excellent, fascinating information, thanks for posting.
I have been working in security and access control systems for 20+ years, and during that time I've watched biometric identification systems slowly improve to the point that some of them are usable. The last I knew, face recognition had not reached that point yet, but from your information, it sounds like it is getting close.
Have you tried with low-light, to see if it has the same problems as with strong back-light? I suspect that it will. Also, I wonder if background "noise" (random movement behind your head) will cause a problem?
With fingerprint recognition systems, it is always best to register more than one finger; other than politicians, not many people will be able to do this with face recognition.
Thanks again.
jw
The fact that you couldn't fool the system with a photograph of your self clinches the deal for me. That would be the first point of deception for many a scoundril out there. It made me wonder if the regognition system has built in criteria that requires the slight movement of muscles to be found on a persons static facial expression. If this is the case then a point of weakness may be a running video of a persons face.
Excellent blog Sandra - thanks for a great read!
I've recently started using my built-in camera for video conferencing via Gmail, it works amazingly well - and took about one minute to install from Gmail itself.
I wonder if anyone has considered whether it would be possible to hack a camera via Gmail and take pictures of whatever is going on. This could open up a whole new security loophole if we can see into offices and other places that we shouldn't be able to.
AdrianB
Adrian, that's just plain creepy. Unfortunately, it is also becoming a valid concern. I know for a fact that some of the current video chat programs can be set up to auto-answer incoming calls, and activate the camera. They are not configured to do that by default, yet, but it is not a huge leap to imagine one that is so configured in the future, or even to consider a hack/worm/virus/whatever that knows about the most common of those programs, looks for them and changes the configuration.
Logitech webcams used to have a physical "privacy shield" that you could close over the lens, but newer models don't have that any more. Maybe such protection will make a comeback in the future.
jw
There's a big difference between "couldn't login using a photo" and "failed to login using a photo". One implies that the testing methods were rigorous and extensive and the other implies that it was attempted once and didn't work.
The biggest problem I see with biometrics as the only part of an authentication system is that your credentials are on show to everyone, all the time. If someone can take a video of your face and play that back through the built-in camera then they can login as you. I have seen facial scanners fooled easily by photos so one system's failure to login using a photo once is not conclusive evidence.
Fingerprints fail for the same reason. It is almost as easy to find something your target has touched in order to lift his fingerprint from it as it is to take a photograph of them.
Compared to a password which you can keep secret in your head and only reveal when you are actually authenticating yourself (or, even better, a secret key which you never reveal, even when authenticating yourself), biometrics leave a lot to be desired. This is completely independent of the hardware involved in measuring the biometrics. No matter how good it gets, you will still be displaying your credentials every time you walk outside.
Biometrics will always be able to be faked because they are inherently susceptible to replay attacks. The analogue signal (the actual person) is converted into a digital signal before being compared to the previously recorded digital signal. You can either inject a fake digital signal after the conversion has happened or, because there is always some approximation in an analogue to digital conversion, you just need to approximate the analogue version closely enough to create an acceptable digital signal.
I'm not saying biometrics are a waste of time. I can see them being marginally useful as an extra part in an existing authentication scheme, but not as the only part.
