Face Unlock feature in Galaxy Nexus poses security risk

Analysts suggest a PIN or password is a more secure alternative than Google's facial recognition software for unlocking smartphones

Face Unlock, the facial recognition software offered in Android 4.0 on the Galaxy Nexus, is being promoted by Google as an alternative to using a PIN to unlock a phone.

But early reviewers have noticed that Face Unlock sometimes can be spoofed by a photograph of the owner of the phone, posing a security risk.

[ Learn about consumerization of IT in person March 4-6, 2012, at IDG's CITE conference in San Francisco. | Get expert advice about planning and implementing your BYOD strategy with InfoWorld's 29-page "Mobile and BYOD Deep Dive" PDF special report. | Keep up on key mobile developments and insights with the Mobilize newsletter. ]

A Google official wouldn't comment on various reports about the issue. Google calls Face Unlock " state-of-the-art facial recognition technology [that] lets you switch on your phone and look at it to get past the lock screen -- no passwords to remember, nothing to type or swipe."

Early users and reviewers, including Computerworld blogger JR Raphael, have noted that the Face Unlock feature in Android 4.0, Ice Cream Sandwich, is introduced on the Galaxy Nexus at set-up with a disclaimer. It describes the technology as less secure than other methods such as a password or PIN.

Raphael said he tried several times to spoof the phone with his own photo, but it never unlocked with the photograph, just his actual face.

At set-up, users are also asked to enter a backup security protection, such as a pattern or PIN, to Face Unlock. The backup obviously would come into play if lighting is poor and the facial recognition feature could not work.

Analysts took note that Google never said Face Unlock was a highly secure approach to unlocking a phone, and suggested that users not consider it so.

"I expect Face Unlock is a fairly rudimentary system that only looks at a few facial points to come to the conclusion that's it's you," said Jack Gold, an analyst at J. Gold Associates.

While some facial recognition systems can be highly secure and safe, they require much higher resolution cameras, and high processing power. "Would I want to use Face Unlock for doing monetary transactions? Not a chance," Gold said.

While the Google approach may be rudimentary, it's probably intended to be a convenience or even a "conversation piece," Gold added. As Google has required at set-up, a good second factor authentication is needed.

"Even a good password, with sufficient length and different characters, would be more secure than this low-end option, in my opinion," he said.

Matt Hamblen covers mobile and wireless, smartphones and other handhelds, and wireless networking for Computerworld. Follow Matt on Twitter at @matthamblen or subscribe to Matt's RSS feed. His email address is mhamblen@computerworld.com.

Read more about mobile apps and services in Computerworld's Mobile Apps and Services Topic Center.

This story, "Face Unlock feature in Galaxy Nexus poses security risk" was originally published by Computerworld .

Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies