Android 4.0 Face Unlock bypass

Google recently launched its latest Android version (4.0). One of the new features it has is Face Unlock. This is in news with some videos demonstrating how this feature can be fooled by simply showing it a digital image of the user.


A key learning for any developer/vendor is to make sure that they have tested their product for the basic test cases before launching. Think about the bypass vectors for your feature, frame test cases for these vectors, and finally test it to see the result. If you find the test case to fail, then fix the code.

A simple test case for a feature like Face Unlock is to "show it a printed photograph" or "show it a digital image". I am sure Google must have done their part well. Lets wait to listen some official announcement on this.

About IPT & 2FA

I read an article today which says-


MasterCard today became the latest company to employ Intel's Identity Protection Technology (IPT) -- which basically converts a laptop or client device into a second factor of authentication -- for online commerce.


Full details here: http://www.darkreading.com/authentication/167901072/security/client-security/231903013/baking-strong-authentication-into-client-devices.html


My thoughts-


Hardcoded Intel chip plays the role of software token, thus providing the token for Two Factor Authentication (2FA). Entire security lies on the fact that it is very very difficult to break into the hardcoded chip. This sounds promising for now.