Facial recognition and digital certificates: true security for mobiles?
Two separate bits of news that caught my eye are Google’s purchase of PittPatt (a face recognition company as reported by the WSJ), and Entrust’s release of a digital certificate system for smartphones.
Google has acquired a seven-year-old company that develops facial-recognition technology for images and video, though the Web-search giant didn’t say what it plans to do with it.
Google Acquires Facial Recognition Technology Company
What will it do with it? Is it going to add it to Google+ in the same way Facebook introduced face recognition last year? Or will it be built into Android? (Could be both, of course, just like it could equally hive off into a new profit centre offering facial biometrics and recognition to law enforcement and border agencies…).
Moving on, Entrust yesterday announced and claimed that ‘Entrust IdentityGuard strengthens mobile security with device authentication, network access (VPN), SMIME and application security — all with self-service capabilities’.
You have to look at the detail here. This is a self-service digital certificate for smartphones: “Authorised employees, staff or contractors simply log in to the Entrust IdentityGuard Self Service Module to enroll their mobile device — compatible platforms include the Apple iPhone, Apple iPad, Android, BlackBerry, BlackBerry PlayBook and more — and are issued a digital certificate.”
The problem is that a digital certificate authenticates the identity of the device, not the person using it. I asked Bill Connor, President and CEO of Entrust, to elaborate on the security of the digital certificates themselves.
The Entrust IdentityGuard Self-Service Module offers end users a simple and consistent way to enrol for and install certificates and keys for network access and secure email on their mobile devices. The certificates and keys are stored within the devices’ native certificate stores and can therefore be leveraged by native device applications such as VPN clients and email clients. Private keys are thus protected according to the mechanisms employed by the mobile device OS.
But what if the device is lost, stolen or cloned? Could it be used as an authenticated device by an unauthenticated user?
As the private keys are stored natively by the mobile device, they are protected against device cloning and theft according to the mechanisms employed by the mobile device vendor, including device PIN protection, password protection and hardware-derived keys for the certificate store. Certificates issued to mobile devices may be easily and immediately revoked by both administrators, through IdentityGuard WebAdmin, and users, via the IdentityGuard Self-Service Module, if/when users become aware of device theft or compromise.
Notice those two key phrases: ‘according to the mechanisms employed by the mobile device OS’ and ‘according to the mechanisms employed by the mobile device vendor’.
So what we have here is an excellent product from Entrust that will authenticate the device and is perfect for business use; but is reliant on other systems for authenticating the user to the device. But the only way you can really authenticate the user is with biometrics – so we’re back to PittPatt.
It is coincidence rather than conspiracy that I learnt of these two developments on the same day – but what a co-incidence. Put the two together: facial recognition built into the operating system for user authentication and Entrust’s easy-to-use and established certificate system for device authentication and the result would be genuine security for mobile devices.
Two developments to watch, I think!