Face Recognition Security, Even With A 'Blink Test,' Is Easy To Trick

As Alibaba and others increase reliance on it, is it safe?

FBI Biometric Center of Excellence

Jack Ma, CEO of the Chinese retail giant Alibaba--that country's answer to Amazon--announced at the CeBit conference in Germany this week that the site would soon let you purchase goods and authorize payment using facial recognition.

Which made me wonder: how hard would it be to trick?

Now, I've got one major advantage over someone looking to hack into my account: I have unlimited access to my own face. But I'm also a reasonably public figure: you don't have to spend too much time on Google to find plenty of high-quality images and video. And, in this age of social media, it's not too hard to find a picture of most people. So my first question was: could I simply use a picture of myself? Facial recognition systems that appeared a few years ago in some versions of Android as well as on some PCs could often be circumvented just using a high-quality picture of the person put in front of the camera.

Since then, most of these systems have gotten a little savvier: most now require you to blink during the recognition process, to verify that you're a real live person and not a photo.

I walked down to my neighborhood drugstore and printed out a $4 8-by-10 glossy photograph of my face, then took a razor and cut out the eyes. (Thank goodness I work at home, lest I be mistaken for a rather clichéd and self-centered serial killer.) I then peered through the holes and tried to fool my phone into recognizing this creepy Frankenstein's monster. No luck. (Frankly, I would have been kind of offended if it had worked: it looked pretty creepy.) It's true that the scale wasn't quite right, so I couldn't get my eyes to line up perfectly. It's possible a better photo might succeed.

Facial recognition
One particularly creepy (and unsuccessful) attempt to bypass my bank's facial recognition.

Before plan C, which would involve a Mission: Impossible style latex mask to beat the system, I shot a quick video of myself--blinking included. I held my phone up to the screen, and sure enough, the bank app let me right in. So much for high security.

Perhaps using facial recognition for security or buying things on the Internet isn't the best plan. After all, your face is the one part of you that's most easy to find. There are plenty of better options, including two-factor authentication, voice recognition, and fingerprint scanners, that are just as easy to implement but don't rely on something that's quite so public. A nice, strong password is harder to crack, and it has the benefit of being changeable if it does get compromised--unlike your face.