Adversarial Robustness is Not Enough: Practical Limitations for Securing Facial Authentication

Abstract

The current body of work on adversarial robustness seems to imply that theoretical robustness against adversarial examples leads to more secure systems. In this paper we demonstrate that this premise is erroneous by assessing the strengths and limitations of prominent robustness methods in light of facial authentication, a realistic use case where adversarial perturbations pose a real threat, which allows for a natural reflection on the security gained by the obtained robustness. The main contribution of this paper is an evaluation and critical reflection upon why prominent robustness methods fail to deliver a secure system despite living up to their promises of adding robustness. Our analysis shows that stateof-the-art robustness methods such as Adversarial Training and Guided Complement Entropy struggle to accommodate for two key requirements of facial authentication: (1) the threat model of facial authentication assumes physical adversarial examples that can be added to the scene as opposed to "classical" adversarial examples that are applied to the digital input. Moreover, an attacker that can directly perturb digital input, does not require adversarial perturbations to impersonate their victim; (2) robustness properties are only validated for standard classification problems, and often ignore the impact of more practical training paradigms that re-purpose models. Our extensive evaluation of robustness in light of facial authentication allowed us to pinpoint the limitations of these methods. To ensure that the concepts of adversarial robustness and security are more tightly coupled, we recommend to evaluate new defences with applications where adversarial perturbations pose a security threat.