Home > All, Security News > Facial recognition and digital certificates: true security for mobiles?

Facial recognition and digital certificates: true security for mobiles?

Two separate bits of news that caught my eye are Google’s purchase of PittPatt (a face recognition company as reported by the WSJ), and Entrust’s release of a digital certificate system for smartphones.

Google has acquired a seven-year-old company that develops facial-recognition technology for images and video, though the Web-search giant didn’t say what it plans to do with it.
Google Acquires Facial Recognition Technology Company

What will it do with it? Is it going to add it to Google+ in the same way Facebook introduced face recognition last year? Or will it be built into Android? (Could be both, of course, just like it could equally hive off into a new profit centre offering facial biometrics and recognition to law enforcement and border agencies…).

Bill Conner

Bill Conner, President and CEO, Entrust

Moving on, Entrust yesterday announced and claimed that ‘Entrust IdentityGuard strengthens mobile security with device authentication, network access (VPN), SMIME and application security — all with self-service capabilities’.

You have to look at the detail here. This is a self-service digital certificate for smartphones: “Authorised employees, staff or contractors simply log in to the Entrust IdentityGuard Self Service Module to enroll their mobile device — compatible platforms include the Apple iPhone, Apple iPad, Android, BlackBerry, BlackBerry PlayBook and more — and are issued a digital certificate.”

The problem is that a digital certificate authenticates the identity of the device, not the person using it. I asked Bill Connor, President and CEO of Entrust, to elaborate on the security of the digital certificates themselves.

The Entrust IdentityGuard Self-Service Module offers end users a simple and consistent way to enrol for and install certificates and keys for network access and secure email on their mobile devices.  The certificates and keys are stored within the devices’ native certificate stores and can therefore be leveraged by native device applications such as VPN clients and email clients.  Private keys are thus protected according to the mechanisms employed by the mobile device OS.
Bill Connor

But what if the device is lost, stolen or cloned? Could it be used as an authenticated device by an unauthenticated user?

As the private keys are stored natively by the mobile device, they are protected against device cloning and theft according to the mechanisms employed by the mobile device vendor, including device PIN protection, password protection and hardware-derived keys for the certificate store.  Certificates issued to mobile devices may be easily and immediately revoked by both administrators, through IdentityGuard WebAdmin, and users, via the IdentityGuard Self-Service Module, if/when users become aware of device theft or compromise.
Bill Connor

Notice those two key phrases: ‘according to the mechanisms employed by the mobile device OS’ and ‘according to the mechanisms employed by the mobile device vendor’.

So what we have here is an excellent product from Entrust that will authenticate the device and is perfect for business use; but is reliant on other systems for authenticating the user to the device. But the only way you can really authenticate the user is with biometrics – so we’re back to PittPatt.

It is coincidence rather than conspiracy that I learnt of these two developments on the same day – but what a co-incidence. Put the two together: facial recognition built into the operating system for user authentication and Entrust’s easy-to-use and established certificate system for device authentication and the result would be genuine security for mobile devices.

Two developments to watch, I think!


Categories: All, Security News
  1. Matthew
    July 29, 2011 at 7:06 pm

    Great article. It will be interesting to see what Google does with facial recognition software as Android and Chrome continue to gain market share and as Google apps become more widely accepted.

    You raise the concern of the mobile device being stolen and used to authenticate an outsider into the network. Entrust is adamant about taking a layered approach to security, and IdentityGuard’s 14 different authenticators enable this. If you couple the mobile cert with an extra layer, e.g., a knowledge based measure, the device alone cannot get you into the network. It’s not about one authenticator but the entire security environment and the new mobile certificate’s place in that layered ecosystem.

    If Google does come to market with a mobile facial recognition app, I will definitely be signing up for that Beta. 🙂

    Thanks again for the great article. Have a good day


  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s