Nothing sinister here
We obviously need a decent enough photo of you for the security to be strong.
Retinal scans can also help, maybe even a bit of DNA, in fact you guys spitting at the cameras in the lifts, thanks.
US cyber security tsar Michael Daniel wants passwords to die in a fire and be replaced by other mechanisms, including selfies. In an interview with the Christian Science Monitor Daniel said the death of passwords could signal a useful purpose for the much-beleaguered selfie. "Frankly I would really love to kill the password …
AFAIK, the collection of facial biometrics is an integral part of both Google and Facebook, with Google coming up with the idea of outsourcing the analytics to the users (Picasa users appear to do a lot of pre-processing).
In this context, Apple is not on the side of privacy either - iPhoto automatically builds a database of facial biometrics without any ability to disable it (although you can find instructions online how to nuke the database), and the use of Siri has as nice side effect that you send a pristine digital voiceprint to a server in the US which is IMHO not a good move.
For those who think that I'm leaving out Apple's fingerprint system on iPhones: no - that only creates a hash value. The FP itself doesn't travel (the sensor is AFAIK a bit too primitive anyway), but that could of course change too. I'd be more worried about Android machines with fingerprint scanning abilities (not to mention Windows phones, but prints from those 4 users would not really be a "volume" grab of data :).
> you could use the camera on cell phones ... [ to use a photograph instead of a password ]
So instead of a baddie having to guess what random or obvious string of letters and numbers you use to gain access to all of your luvverly data, they would now just need a photo of your fizzog? What then - just print it out, life-size, cut off the background, paste it to a stick and hold it up for verification and access. Worse still, what are you supposed to do if there's someone who looks suffciently like you to pass "your" face recognition test - grow a moustache? (and how do you change your face if the security database is hacked?)
In a similar vein, we are also told that more entities are starting to use voice-prints as a means of verifying a person's identity. Pardon my stupidity, but "stealing" that merely involves phoning a person up and getting them to say a pre-set word or phrase, while recording the phone. Sounds even worse!
Thanks, but I'll stick with information that isn't freely available to anyone with a mobile phone - for them to take with neither my permission nor knowledge.
Those same cameras can also detect infrared, which is why camera heart rate monitors work (perhaps not too accurately, but interesting nonetheless). If the face checker also checks for a facial pulse (which a paper mask would likely obstruct), then it would be more difficult to fake.
Personally, I would rather rely on a password than have my risk of kidnapping at gunpoint increased.
Mind you, then you have torture as the main face to face method...then once they have tortured your password out of you, then then can kill you. BUt thinking about it, they should keep you alive in case you lied, got confused under duress. In which case it still is a preferred method, because then they will have to come back so you are alive longer. But then if you are at gunpoint in a public place to show your face then you may, *may* have a better chance of escape.
Oh what to do, what to do.
Screw it - HEY EVERYONE - MY PASSWORD IS D0UGL4SAD4M5!
Sorted.
Those same cameras can also detect infrared, which is why camera heart rate monitors work (perhaps not too accurately, but interesting nonetheless)
Nope. Heart rate detection works on delta detection of the red channel, no need for *infra* red. If I recall correctly, there is a Philips Health app for iThings that does heart rate and breathing frequency detection, and newer iPhones have IR filtered out as it apparently can mess up pictures.
Point is the camera can detect things not normally visible to the naked eye, and these camera CAN and DO capture infrared since they can see the infrared emitted from remote controls and the like. Removing the IR either takes a filter layer or software post-processing.
The point being that while one biometric can be fooled, if the system can simultaneously check for several different biometrics (check for a pulse, moving eyes in the right color, breath, voiceprinting, et al) as well as create dynamic tests that thwart preimaging (asking for a blink, an answer to a simple generated question, etc), then it should be possible to take "faking it" past the practical limit for most adversaries. And you might be able to deal with the gun-to-the-head scenario (which will exist regardless) with a duress sequence: one that not only alerts authorities but also releases traceable dummy data, making it seem you're letting them in.
Nope. Heart rate detection works on delta detection of the red channel, no need for *infra* red
It's also notoriously sensitive to things like skin temperature (i.e. blood perfusion). So you won't get into the phone at all if you're out in the cold. And $deity only knows what it will do with someone who's a bit flushed after running for the bus...
newer iPhones have IR filtered out as it apparently can mess up pictures.
ISTR a bit of a scandal a few years back, where camcorders were showing people in their underwear on account of being overly-sensitive to IR. AIUI, that has led to IR filters being fitted on most cameras these days.
Vic.
Pete 2, you bring up several good points. I don't think any security system that can be defeated by a simple photo or 3D print of someone should be considered fit for purpose. As far as voice recognition, there are several ways to take into account the hack you describe. A simple way would be to have a quick Q&A between the person and the system. Both voice and content could be analyzed. Too-perfect matches should be counted as an attack, so if you ask the person for the same word in two different contexts and the response is detected to be identical, then the system should "know" it is being hacked.
I think the way to go for a reasonable amount of security for system access involves simultaneous, multiple checks. They should be as transparent as possible to the user. Any one method can be defeated. Adding layers and making them simultaneous should greatly increase the difficulty in doing so.
That's one reason I suggested checking both for image and for infrared pulse (something phone cams can already do). Two simultaneous checks which when combined can be trickier to defeat. Since humans can't see infrared naturally, you can make it so that it's difficult to fake a face pulse, especially if it's taking a full infrared image that wouldn't be readily fooled by LEDs (which would emit hot spots). Combine this with a motion-based match (make the subject randomly wink or blink or open the mouth--this would stop the photograph--as well as check for the actual pulse to thwart steady-state infrared emitters) and you can get something that has a decent expectation of an actual, live face.
There are plenty of good arguments from actual security researchers (Daniel is not one) against making biometrics the default for authentication. While not all facial-recognition systems can be fooled this easily, certainly the potential for forged credentials is among them.
Indeed!
Apart from those using "12345" or similar, just how many attacks actually guess a user's password compared to re-using a stolen password database?
I think those are the real problems:
(1) password re-use and;
(2) insecure sites storing passwords in plain-text or unsalted hashes.
Changing to a photo, etc, will make bugger-all difference to that, and once the bad guys have a copy, how do you change it?
Hey, what bargain basement did they get this Tsar from? And I'm being intentionally pejorative. Absolutely no understanding of the topic (any kind of security process), technologies, strengths and weaknesses, .... Downright frightening if he has legislative/regulatory influence. You (Tsar/TLA) can insist all you want that you should have lawful access to my encrypted devices but you won't get it here. [It's still up in the air about forced release of a personal encryption code in the States.] Meanwhile, I'll stick to my passwords from Hell for the Secret stuff. [And as the Classifying Officer, I get to decide about time and place of declassification. of said Secret stuff.]
No Such Agency used to have me fix there stuff when they couldn't. Sheesh.
Robert M Lee has a good piece in Forbes online arguing why a non-technical "Cybersecurity Coordinator" (apparently Daniel's actual title) is a bad idea. Even if you agree on principle (as it seems most or all the commentators here do), it's worth a quick read.
As usual, we see that IT-security pronouncements from people who aren't security researchers aren't worth the bits they're encoded with. Schneier was explaining to non-technical audiences why biometrics weren't a silver bullet a decade ago. Looks like the Powers That Be still haven't caught on (or, as a number of people here have suggested, have - but of course they don't have users' interests in mind).
I have been testing this system all morning, it is more straightforward than it sounds.
Example: You want to ssh into the server
1. Type your name into the login prompt as usual.
2. Take selfie
3. Convert the selfie image to ascii art
4. Copy-and-Paste the ascii art into the Password prompt.
Simples!
I do find that it takes more than one attempt to login but that just means more opportunity to take selfies, yay!
petur,
That's rather weak, auto-unban after an hour...
My system: You're stupid enough to get auto-banned after 3 failed attempts, you have to explain why you failed, what went wrong etc etc, before I manually unban your IP and un-deactivated your account...
Just saying,
Guus
Oh yeah, let's make the Internet even more complicated so that the bright hackers can do what they want and leave Law Enforcement even more clueless. How exactly are you going to change a landline on-the-fly, pray tell ? It's IP may change or be spoofed, but the copper (or fibre for those lucky buggers that have it) is not going to change places, and can therefor be traced. I doubt there can be any way around that.
As said before, if my password is stolen, I can change it. I can't change my face, or my hands, or my fingers.
And please, please do NOT give the "selfie" any official role. THAT will be the End of Civilization As We Know It.
"We don't want to have something that puts it utterly beyond the reach of law enforcement in the appropriate circumstances."
Not sure how they would achieve this. They could build in some inherent weakness but what happens when someone else finds it? You could reserect key escrow idea but how many criminals / terrorists are going voluntarily hand over their keys. They will just find a way around it as they did with the clipper chip
I'm not buying the "Biometrics are bullshit because I'll get my eyes gouged out and my thumbs cut off" angle.
This can still happen in order to exctract your password. The reason it dosent is because most of this sort of thing happens remotely.
In fact assuming these bio check designers are thoughtful enough to require Alive thumbs and retinas or whatever , this might keep you alive longer .