KeyLemon, bypassing face-authentication

Information

KeyLemon, is a well known application from Switzerland, that allows to enter in your session without login or password, with more than 3 million of downloads and also is involved in an European Commission project funded by more than 4 million Euros.

“KeyLemon’s latest face recognition algorithms take full benefit of 3D depth sense cameras by efficiently combining depth, near-infrared and color information. “

Analysis

I installed the latest version, 2.75 for Mac OS X, and I tried to bypass Keylemon just using a selfie 🙂

I noticed how easy it was to skip the session lock, even using group photos, I contacted the company to inform them about it. In the reply, they told me that the payment licence does not allow that attack, due the anti-spoofing implementation since version 2.5 in Windows.

I decided to pay the $ 39 and check whether it was true or not … to my surprise, I discovered that what they call anti-spoofing, was merely a blink detector…

It is not very difficult to imagine that a video recording or by creating a gif, would be feasible to bypass it again.

In addition, the Windows version also allows voice recognition … as if we could record it, right? 🙂

Nowadays applications as an alternative to passwords should not being used. As I mentioned in my emails to the developers, I believe that the application KeyLemon is misguided in trying to replace a password, when it could be used to increase it, using both systems simultaneously, as 2FA.

Back