Face Unlock feature in Galaxy Nexus seen as novelty, not security

Analysts and Google suggest PIN or password alternate for smartphone

Face Unlock, the facial recognition software offered in Android 4.0 on the Galaxy Nexus, is being promoted by Google as an alternative to using a PIN to unlock a phone.

But early reviewers have noticed that Face Unlock sometimes can be spoofed by a photograph of the owner of the phone, posing a security risk.

A Google official wouldn't comment on various reports about the issue. Google calls Face Unlock "state-of-the-art facial recognition technology [that] lets you switch on your phone and look at it to get past the lock screen -- no passwords to remember, nothing to type or swipe."

Early users and reviewers, including Computerworld blogger JR Raphael, have noted that the Face Unlock feature in Android 4.0, Ice Cream Sandwich, is introduced on the Galaxy Nexus at set-up with a disclaimer. It describes the technology as less secure than other methods such as a password or PIN.

Raphael said he tried several times to spoof the phone with his own photo, but it never unlocked with the photograph, just his actual face.

At set-up, users are also asked to enter a backup security protection, such as a pattern or PIN, to Face Unlock. The backup obviously would come into play if lighting is poor and the facial recognition feature could not work.

Analysts took note that Google never said Face Unlock was a highly secure approach to unlocking a phone, and suggested that users not consider it so.

"I expect Face Unlock is a fairly rudimentary system that only looks at a few facial points to come to the conclusion that's it's you," said Jack Gold, an analyst at J. Gold Associates.

While some facial recognition systems can be highly secure and safe, they require much higher resolution cameras, and high processing power. "Would I want to use Face Unlock for doing monetary transactions? Not a chance," Gold said.

While the Google approach may be rudimentary, it's probably intended to be a convenience or even a "conversation piece," Gold added. As Google has required at set-up, a good second factor authentication is needed.

"Even a good password, with sufficient length and different characters, would be more secure than this low-end option, in my opinion," he said.

Matt Hamblen covers mobile and wireless, smartphones and other handhelds, and wireless networking for Computerworld. Follow Matt on Twitter at @matthamblen or subscribe to Matt's RSS feed. His e-mail address is mhamblen@computerworld.com.

Copyright © 2011 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon