The advent of higher-quality cameras has led Google to include facial recognition security in Ice Cream Sandwich (Android 4.0). The questions that experts are batting around are whether the technology works and if it is good enough to be relied upon in "bring your own device (BYOD)" scenarios.
The answers are "sometimes" and "that's the wrong question."
The experts are concerned that the technology Google included in Ice Cream Sandwich is so rudimentary that it can be fooled by a photograph of the owner. The best exploration of the issue is by Tim Schiesser, who posted a video at Neowin in which he used a variety of photographs of himself to try to gain entry to his Galaxy Nexus. Some of these were from outside the device. Others were stored on the phone. Schiesser said that storage could be accessed without gaining entry to device, so a thief conceivably could use them. He held all the photos to the camera and asked for entry.
Schiesser was mostly denied access. At the end of the video, however, one of the images that had been stored on the camera indeed did grant him access-much to his surprise, since he said he had tested beforehand and wasn't successful. It is unclear if the problem was related to the nature of the photo itself -- which appeared to be of lower quality than some of the others -- or because it had been stored in the phone.
The obvious bottom line-the answer to the first question -- is that the technology is unpredictable and inconsistent. It clearly is not good enough to be used as the sole security step for mobile devices used in business.
The key word, however, is "sole." There are a few things to be said in favor of the use of facial recognition for business devices. The first is that, at least according to the Schiesser video, it is more reliable than some people-such as Sebastian Anthony at Extreme Tech-give it credit for.
In the bigger picture, it's useful to think of The Club. The device, which clamps onto opposite sides of an automobile's steering wheel to prevent its turning, isn't enough to prevent a theft. It is enough, however, to require at least a moderate level of expertise (and, in this example, tools) to get it off. There simply are so many totally unprotected targets-cars in one case, mobile devices in the other-that it doesn't take too much to make the thief move on to lower-hanging fruit. The Club and facial recognition are deterrents, not foolproof safeguards.
The danger is that the technology will be seen as all the device owner needs to do to be safe. That isn't the case. Serdar Yegulalp at Byte has it about right in his view that biometrics is best seen as one tool in the security tool chest:
There's ways to fix the facial unlock function to make it more useful. Schneier mentions in his piece how fingerprint readers could be programmed to prevent cheating by detecting a pulse or a pore pattern. Facial unlock, likewise, could be reprogrammed to only work if the person winks or smiles - two things a photo definitely can't do.
Yegulalp is referring to a post he links to by well-known security consultant Bruce Schneier. The bottom line -- and the answer to the second question -- is that facial recognition is a valuable tool that may become far more useful as it evolves, but one that shouldn't be considered a singular answer, either now or in the future.