Vietnamese security firm: Your face is easy to fake

This is me being enrolled by the Y430's Lenovo Veriface III authentication software to be a legitimate user of the computer.

(Credit: Dong Ngo/CBS Interactive)

Updated at 1:14 p.m. PST Friday, December 5 with comment from Lenovo.

Editor's note: CNET editor and Crave contributor Dong Ngo is spending the month of December in his homeland of Vietnam and plans to file occasional dispatches chronicling his impressions of how technology has permeated the culture there. Click here for more of Dong's stories from abroad.

HANOI, Vietnam--Regardless of what some people seem to think, we Asians do not all look the same. But according to the current face recognition algorithm used in laptops, our faces are all about as flat as a piece of paper.

That's according to BKIS, the Vietnamese Internetwork Security Center that makes the antivirus software I mentioned in a blog post Monday. At a press conference here Tuesday, the company demonstrated vulnerabilities in laptops' face recognition-based authentication mechanisms that let anyone log in to a computer easily with a "special" photo of the legit owner, even at the highest authentication level.

Using your face as the password to log in to a computer--an alternative to the fingerprint method or the traditional username and password--marks a new trend found in laptops from Lenovo, Asus, and Toshiba. As far as I know, only these three vendors currently offer this technology in their laptops. These computers come with a built-in Webcam that's used to capture and analyze faces.

I've been impressed by this new way to log in and have found it to be so much more convenient than the fingerprint reader of my Dell XPS 1330. The finger scanner is a pain when my finger is wet or dirty. Unfortunately, on Tuesday I discovered that this new and exciting technology may not be such an effective security measure.

I participated in a demonstration on a Lenovo Y430, running Windows Vista, and here's how it panned out:

As a legit user, I am doing a video Skype chat with another BKIS technician.

(Credit: Dong Ngo/CBS Interactive)

First, I enrolled myself as a legit user of the computer. The process was fairly fast and straightforward. The laptop's Lenovo Veriface III authentication software scanned my face for some prime spots, including my eyes, presumably to make sure it can recognize my face regardless of which angle I look at the Webcam from.

Once the enrollment was done, I was able to log in quickly with my face. The machine took less than a second to recognize me. Very nice.

After that, I engaged in a Skype video chat with a BKIS technician. At the other end of the chat section, the technician silently captured my face. This took just a few seconds. My involvement in the demonstration was now done.

About five minutes later, the technician produced a rather unflattering picture of me on a piece of letter-size paper. I could hardly agree that it was my mug on the photo. Nonetheless, when used in front of the laptop's camera, the Y430's authentication software was happy enough with the photo and logged in within a second. Pretty scary.

In addition to the Lenovo Y430, BKIS also showed that the same thing can be done with two demo laptops from Asus and Toshiba. It charged that all laptops from these vendors currently equipped with the technology are similarly vulnerable.

BKIS says it informed all three related vendors about the findings and invited them to the demonstration. However, none showed up. I tried to contact Toshiba and Asus representatives in Vietnam, but so far have been unable to reach them. On Wednesday, a Lenovo representative from Singapore offered this comment:

"Face recognition technology is offered as an alternative security option for consumers who would like the convenience of not having to remember yet another password. Our advice to concerned consumers is to take basic safety measures to limit their vulnerabilities--store your notebook securely...Like all technologies, early adoption reveals initial issues that are improved over time, and Veriface, which is only used in our consumer range of notebooks, continues to be upgraded."

On the other end of the chat, an image of my face is being captured.

(Credit: Quang Minh/BKIS)

Getting back to the pictures, it's important to note that not any photos of a legit user's face will do. Duc Minh Nguyen, BKIS' manager of application security department, said the photo doesn't have to be high quality. It does, however, need to be processed in a very particular way, mostly to enhance certain key points of the face and adjust contrast level to match the "expectation" of the face recognition algorithm.

For security reasons, the actual key points and the particular enhancement were not announced to the public. However, my take is that the use of these photos is probably possible because the authentication software looks at the face as a 2D object, instead of a 3D one. This makes each face much less unique than it actually is.

This is not the first time BKIS has discovered security holes. Recently, the center alerted Microsoft to the vulnerability in Windows Media Encoder 9 and turned up the latest vulnerability in Chrome.

Quang Tu Nguyen, BKIS' director, said these face recognition vulnerabilities are very hard to fix without making the log-in process significantly less easy to use, which defeats the purpose of the technology. For now, he advised owners of these laptops to use the traditional username and password authentication method--or just don't not to trust the computer with sensitive information.

Whether face recognition authentication is actually useless, we'll have to wait to see. In the meantime, I guess I'll just have to continue to keep my finger clean and dry at all times.

A special photo of my face is being used to log in, and it worked as well as my real face.

(Credit: Dong Ngo/CBS Interactive)

[JoeKoskovics]

This is not a surprise.
As science fiction and television drama writers had forecast technology's growth, they also forecast ways to fool technology too. Be it "Mission: Impossible", "Star Trek", or even "The Jetsons", technology can sometimes be fooled by the simplest tool.

In this case, "A picture is worth a thousand (pass)words".

[brief]

Agreed, we're always seeing spy movies and TV shows where supposedly high-tech, sophisticated authentication technology are being thwarted by secret agents. Not all of the technology they show are truly viable.

I remember an old comedy skit, where the entrance was protected by voice recognition. When the user had a sore throat, he was denied access.


But perhaps facial recognition AND voice recognition used together might offer slightly better security? Of course, the pass phrase would have to be something the user comes up with, and not from a list of generic pass phrases, which someone else could try to record from you via a Skype call...

[7aji88]

what about those red motion detection lasers? Ever thought that a cheap IR sensor that every business with a security system installed have can do much better.

[basraw]

I guess you would be screwed if you got disfigured in an accident..

Or had the lap top as a child - set it up, and didn't log in for 20 years after that??

Best to have that photo around!!!! lol

[dude7895]

This same thing was on Burn Notice, made me laugh.

[wallcrawler78]

Face recognition in Ubuntu mixed with Clutter-facebrowser would be aweseome. It is a new GDM using the clutter project code. I could see your PC automatically shortening the amount of faces displayed in order to automatically trim down options.

Project page is here:https://wiki.ubuntu.com/DesktopTeam/Specs/GdmFaceBrowser
Youtube Video is here: http://www.youtube.com/watch?v=cQN1VSlVApo

face recognition in facebrowser would be really slick.

[Hernys]

This is so obvious that it doesn't even need to be tested to know it doesn't work. In order for something to work as an authentication mechanism it needs to be secret or non reproduceable. A static face is neither.
Anyone sellign this as a security technology is a scammer. Don't buy laptops from whoever tries to sell this technology. They are being driven by marketing without input from Engineering. You don't want their machines.

[Clarious]

I think they can solve this by capture at least 2 pictures of your face at difference angles, but that is a little bit complicated for a "toy" security solution, why don't just stay with finger print?

[DrollTroll]

because you can cut off fingers...

[rapier1]

If they have physical access to cut off their fingers why not just decapitate the person and use their head or just force them to authenticate.

[vinhkhanhle]

This is not new, engineers who work with this project already knew the weakness of facial recognition but sensor technology currently does not allow them to go beyond and fix this problem. So, this is just an advertisement for BKAV, not a news to me.

[rbkirk]

These facial recognition systems are on CONSUMER level machines from Lenovo, not the corporate level notebook systems. For example, no Lenovo Thinkpads have facial recognition...that is only on the Ideapads. There is a reason they are a different brand, with different levels of construction, price, and target market.

It is a flawed article which did not point this difference within manufacturer brands out...or get a comment from the companies mentioned in the article.

[Tomofumi]

how about the twins? is it possible to login from any of them?
seems retina scanning is more secure than face recognition.

[a__l__a__n]

This concept is fundamentally flawed. Your face is not a secret.

[Ayeroxor]

Real, robust facial recognition requires the user to smile or blink to prove it's not a photo. This software is clearly just a toy and should not be depended upon for any security.

[jscott418]

It makes sense because the technology is not that involved. Its not like a retina scanner. Its more of a selling tool then anything. The best security is a password which then should be changed frequently.
Other security measures are too expensive at this point. The rest as we see here are just smoke and mirrors.

[jack2423]

hey like the article.
here's something i've thought of trying but been to lazy too... on mythbusters they took a scan of a finger and used it on a fingerprint pad to get through, same principle (much harder to get someones fingerprint though i hope). try it on your comp in your free time. If i remember ill try it tomorrow.

[myles taylor]

Yes but if you remember correctly, it took them many attempts to do it. It certainly wasn't easy.

[MSSlayer]

Facial recognition is very difficult to get right, even proper use of neural networks and fuzzy logic doesn't guarantee accuracy. Differences in lighting, makeup and angles can foil the best FR program.

The bottom line is that anything that can be digitized can be spoofed. Biometrics gives the illusion of security not security itself.

Even if it was actually a true security measure, what happens if someone's face get damaged?

[dodgeboy99]

Where not talking about top level security here. We are talking about a convienent way to log in a family member to a family computer. If you need security there are options out there just spend the time and money to find them.
My Lenovo laptop has performed great wtih facial recognion except for the fact that it will not log me into websites only the OS.

[Angmarr]

i was wondering how this works because i tried using a simple picture and it didnt work. too bad they dont have a way to use 3D face recognition

[quanglh_vn]

It may not simple as it seems. They said that the picture must go through some "simple" digital image processing things in order to fool the recognitor.

In order to find that "simple" thing, it's obviously that they had to research much about the recognition technologies used by the producer.

[Mac OS XP]

It looks like a creepy version of Photo Booth.

So why don't they just have a thumbprint reader?