WHITEPAPER | February 7, 2022

Facial Recognition Security Research

IOActive, Inc. (IOActive) has conducted extensive research and testing of facial recognition systems on commercial mobile devices. Our testing lab includes testing setups for 2D- and 3D-based algorithms, including technologies using stereo IR cameras.

For each of the different technologies, we first try to understand the underlying algorithms and then come up with creative and innovative setups to bypass them. Once an unlock is achieved, we calculate the Spoof Acceptance Rate (SAR), as described in the Measuring Biometric Unlock Security” section of the Android Compatibility Definition Document.1 This metric allows us to compare different solutions and evaluate the strength of each solution.

This document describes IOActive’s results for commercially available mobile phones implementing face authentication mechanisms to unlock the device. All them relied on the “selfie-camera,” a single lens producing 2D RGB images. IOActive used 2D and 3D masks when attempting to bypass the security features.

Our comparison was based on a set of objectives bundled into five categories: Below the OS, Platform Update, Trusted Execution, Advanced Threat Protection, and Crypto Extension. Based on IOActive research, we conclude that AMD offers no corresponding technologies those categories while Intel offers features; Intel and AMD have equivalent capabilities in the Trusted Execution category.