Nothing sinister here
We obviously need a decent enough photo of you for the security to be strong.
Retinal scans can also help, maybe even a bit of DNA, in fact you guys spitting at the cameras in the lifts, thanks.
US cyber security tsar Michael Daniel wants passwords to die in a fire and be replaced by other mechanisms, including selfies. In an interview with the Christian Science Monitor Daniel said the death of passwords could signal a useful purpose for the much-beleaguered selfie. "Frankly I would really love to kill the password …
AFAIK, the collection of facial biometrics is an integral part of both Google and Facebook, with Google coming up with the idea of outsourcing the analytics to the users (Picasa users appear to do a lot of pre-processing).
In this context, Apple is not on the side of privacy either - iPhoto automatically builds a database of facial biometrics without any ability to disable it (although you can find instructions online how to nuke the database), and the use of Siri has as nice side effect that you send a pristine digital voiceprint to a server in the US which is IMHO not a good move.
For those who think that I'm leaving out Apple's fingerprint system on iPhones: no - that only creates a hash value. The FP itself doesn't travel (the sensor is AFAIK a bit too primitive anyway), but that could of course change too. I'd be more worried about Android machines with fingerprint scanning abilities (not to mention Windows phones, but prints from those 4 users would not really be a "volume" grab of data :).
> you could use the camera on cell phones ... [ to use a photograph instead of a password ]
So instead of a baddie having to guess what random or obvious string of letters and numbers you use to gain access to all of your luvverly data, they would now just need a photo of your fizzog? What then - just print it out, life-size, cut off the background, paste it to a stick and hold it up for verification and access. Worse still, what are you supposed to do if there's someone who looks suffciently like you to pass "your" face recognition test - grow a moustache? (and how do you change your face if the security database is hacked?)
In a similar vein, we are also told that more entities are starting to use voice-prints as a means of verifying a person's identity. Pardon my stupidity, but "stealing" that merely involves phoning a person up and getting them to say a pre-set word or phrase, while recording the phone. Sounds even worse!
Thanks, but I'll stick with information that isn't freely available to anyone with a mobile phone - for them to take with neither my permission nor knowledge.
Those same cameras can also detect infrared, which is why camera heart rate monitors work (perhaps not too accurately, but interesting nonetheless). If the face checker also checks for a facial pulse (which a paper mask would likely obstruct), then it would be more difficult to fake.
Personally, I would rather rely on a password than have my risk of kidnapping at gunpoint increased.
Mind you, then you have torture as the main face to face method...then once they have tortured your password out of you, then then can kill you. BUt thinking about it, they should keep you alive in case you lied, got confused under duress. In which case it still is a preferred method, because then they will have to come back so you are alive longer. But then if you are at gunpoint in a public place to show your face then you may, *may* have a better chance of escape.
Oh what to do, what to do.
Screw it - HEY EVERYONE - MY PASSWORD IS D0UGL4SAD4M5!
Sorted.
Those same cameras can also detect infrared, which is why camera heart rate monitors work (perhaps not too accurately, but interesting nonetheless)
Nope. Heart rate detection works on delta detection of the red channel, no need for *infra* red. If I recall correctly, there is a Philips Health app for iThings that does heart rate and breathing frequency detection, and newer iPhones have IR filtered out as it apparently can mess up pictures.
Point is the camera can detect things not normally visible to the naked eye, and these camera CAN and DO capture infrared since they can see the infrared emitted from remote controls and the like. Removing the IR either takes a filter layer or software post-processing.
The point being that while one biometric can be fooled, if the system can simultaneously check for several different biometrics (check for a pulse, moving eyes in the right color, breath, voiceprinting, et al) as well as create dynamic tests that thwart preimaging (asking for a blink, an answer to a simple generated question, etc), then it should be possible to take "faking it" past the practical limit for most adversaries. And you might be able to deal with the gun-to-the-head scenario (which will exist regardless) with a duress sequence: one that not only alerts authorities but also releases traceable dummy data, making it seem you're letting them in.
Nope. Heart rate detection works on delta detection of the red channel, no need for *infra* red
It's also notoriously sensitive to things like skin temperature (i.e. blood perfusion). So you won't get into the phone at all if you're out in the cold. And $deity only knows what it will do with someone who's a bit flushed after running for the bus...
newer iPhones have IR filtered out as it apparently can mess up pictures.
ISTR a bit of a scandal a few years back, where camcorders were showing people in their underwear on account of being overly-sensitive to IR. AIUI, that has led to IR filters being fitted on most cameras these days.
Vic.
Pete 2, you bring up several good points. I don't think any security system that can be defeated by a simple photo or 3D print of someone should be considered fit for purpose. As far as voice recognition, there are several ways to take into account the hack you describe. A simple way would be to have a quick Q&A between the person and the system. Both voice and content could be analyzed. Too-perfect matches should be counted as an attack, so if you ask the person for the same word in two different contexts and the response is detected to be identical, then the system should "know" it is being hacked.
I think the way to go for a reasonable amount of security for system access involves simultaneous, multiple checks. They should be as transparent as possible to the user. Any one method can be defeated. Adding layers and making them simultaneous should greatly increase the difficulty in doing so.
That's one reason I suggested checking both for image and for infrared pulse (something phone cams can already do). Two simultaneous checks which when combined can be trickier to defeat. Since humans can't see infrared naturally, you can make it so that it's difficult to fake a face pulse, especially if it's taking a full infrared image that wouldn't be readily fooled by LEDs (which would emit hot spots). Combine this with a motion-based match (make the subject randomly wink or blink or open the mouth--this would stop the photograph--as well as check for the actual pulse to thwart steady-state infrared emitters) and you can get something that has a decent expectation of an actual, live face.
There are plenty of good arguments from actual security researchers (Daniel is not one) against making biometrics the default for authentication. While not all facial-recognition systems can be fooled this easily, certainly the potential for forged credentials is among them.
Indeed!
Apart from those using "12345" or similar, just how many attacks actually guess a user's password compared to re-using a stolen password database?
I think those are the real problems:
(1) password re-use and;
(2) insecure sites storing passwords in plain-text or unsalted hashes.
Changing to a photo, etc, will make bugger-all difference to that, and once the bad guys have a copy, how do you change it?
Hey, what bargain basement did they get this Tsar from? And I'm being intentionally pejorative. Absolutely no understanding of the topic (any kind of security process), technologies, strengths and weaknesses, .... Downright frightening if he has legislative/regulatory influence. You (Tsar/TLA) can insist all you want that you should have lawful access to my encrypted devices but you won't get it here. [It's still up in the air about forced release of a personal encryption code in the States.] Meanwhile, I'll stick to my passwords from Hell for the Secret stuff. [And as the Classifying Officer, I get to decide about time and place of declassification. of said Secret stuff.]
No Such Agency used to have me fix there stuff when they couldn't. Sheesh.
Robert M Lee has a good piece in Forbes online arguing why a non-technical "Cybersecurity Coordinator" (apparently Daniel's actual title) is a bad idea. Even if you agree on principle (as it seems most or all the commentators here do), it's worth a quick read.
As usual, we see that IT-security pronouncements from people who aren't security researchers aren't worth the bits they're encoded with. Schneier was explaining to non-technical audiences why biometrics weren't a silver bullet a decade ago. Looks like the Powers That Be still haven't caught on (or, as a number of people here have suggested, have - but of course they don't have users' interests in mind).
I have been testing this system all morning, it is more straightforward than it sounds.
Example: You want to ssh into the server
1. Type your name into the login prompt as usual.
2. Take selfie
3. Convert the selfie image to ascii art
4. Copy-and-Paste the ascii art into the Password prompt.
Simples!
I do find that it takes more than one attempt to login but that just means more opportunity to take selfies, yay!
petur,
That's rather weak, auto-unban after an hour...
My system: You're stupid enough to get auto-banned after 3 failed attempts, you have to explain why you failed, what went wrong etc etc, before I manually unban your IP and un-deactivated your account...
Just saying,
Guus
Oh yeah, let's make the Internet even more complicated so that the bright hackers can do what they want and leave Law Enforcement even more clueless. How exactly are you going to change a landline on-the-fly, pray tell ? It's IP may change or be spoofed, but the copper (or fibre for those lucky buggers that have it) is not going to change places, and can therefor be traced. I doubt there can be any way around that.
As said before, if my password is stolen, I can change it. I can't change my face, or my hands, or my fingers.
And please, please do NOT give the "selfie" any official role. THAT will be the End of Civilization As We Know It.
"We don't want to have something that puts it utterly beyond the reach of law enforcement in the appropriate circumstances."
Not sure how they would achieve this. They could build in some inherent weakness but what happens when someone else finds it? You could reserect key escrow idea but how many criminals / terrorists are going voluntarily hand over their keys. They will just find a way around it as they did with the clipper chip
I'm not buying the "Biometrics are bullshit because I'll get my eyes gouged out and my thumbs cut off" angle.
This can still happen in order to exctract your password. The reason it dosent is because most of this sort of thing happens remotely.
In fact assuming these bio check designers are thoughtful enough to require Alive thumbs and retinas or whatever , this might keep you alive longer .
Disposable endpoints is a good idea and used by certainly one very security conscious company I know of.
The other ideas, not really relevant because if you users can find their way to the data sources, there has to be a mechanism for finding them automatically (shall I patent the idea I call "DNS" now?).
The main source of attackers hooks into your network are the endpoints, they typically copy and emulate the legitimate user access paths hiding their access amongst perfectly normal traffic making abnormalities hard to detect.
As with all security concepts, you have to balance security with usability, no point in having a very secure system that doesn't enable use.
Having biometrics as a username - yes that is acceptable but as a password? NOOO!
Situation 1: Someone has managed to copy your biometrics which are used as a password - how do you change it? Eye transplantation might be a though option so the off to the "switching fingerprints service" it is...
Situation 2: Someone has managed to copy your biometrics somehow - this would then equal knowing your g-mail as this is usually connected to the account. There is still the password to pass before you can asume someones identity and after a few tries the account is locked.
Therefore this dude who obviously has a very nourishing broccoli for brains should never be allowed close to a policymaker - such idiocy may be contagious!
Getting my coat!
/F
Sounds like US Cyber security tsar Michael Daniel is a numpty.
Point 1:
Face recognition instead of password -- my notebook and desktops don't have cameras. Facial recognition is complicated. The systems that use "points" will have less total information than a decent password. Finally, how is one supposed to rotate their password when the password is their face? If you get fuglified by an accident or age, are you then locked out of all your accounts?
Point 2:
"He went on to say that the use of encryption models seemingly designed to lock out law enforcement should allow for lawful access."
Numpty deluxe; any useful encryption system doesn't have a way to allow "lawful access". If a crypto system has a backdoor, cryptologists can and will find it, making it worthless. See Clipper -- the feds swore up and down this thing would last decades, and it was fully cracked before the (very few, since nobody wants compromised encryption) products using Clipper even got on the market.
Point 3:
What's all this nonsense about "virtualised moving gateways" and so on? Sounds like nonsense to me; DHCP exists (meaning addresses and gateways are not fixed), and routers support dynamic routing protocols (routes are not fixed.) I actually think having everything kind of be even more dynamic like they seem to be vaguely suggesting would make it *easier* for attackers, the dynamic routing and addressing protocols would provide extra protocols to exploit to perhaps make your remote device appear to be on the local network, compared to a less dynamic setup.
No one has mentioned that Android has had this for some time (as well as a blink option so it knows it isn't looking at a photo).
This breaks down the first time you use it in a not-daylight situation and you find it doesn't work as there is no front facing LED (they could use the screen.. hmmmm) and the front facing cameras are even worse than the back facing ones in dim lighting.
Cool idea about using IR to check for a pulse BTW.
"We glue the wings on airplanes with evostick and they keep falling off, so let's abandon airplanes" - that's no sillier than this commonly repeated argument about passwords. We define them poorly and manage them worse (just for example, the last time I asked el Reg for a password refresh I was emailed my existing password in plain text), so they must be intrinsically crap.
They don't have to be, were we to get our act together, but we're stuck in a sloppy mind set that will actually make any alternative authentication method pretty much equally open to abuse.
Those who implement password controls must stop thoughtlessly repeating mantras ("special symbols and squirrel noises") and take notice of a vast and growing body of rigorous scientific research on both the psychology and technologies of authentication and breaches. The problems are actually much simpler than we have been led to believe, but require more effort and imagination that we have brought to them so far to solve.
So no, passwords are not dead - they just need to be created and used intelligently with reference to the real world. Then they are just as good as any other authentication method in their own context.
Many people shout that the password is dead. The password could be killed only when there is an alternative to the password. Something belonging to the password (PIN, passphrase, etc) and something dependent on the password (ID federations, 2/multi-factor, etc) cannot be the alternative to the password. Neither can be something that has to be used together with the password (biometrics, auto-login, etc).
At the root of the password problem is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.
It is nice for the cyber czar to have noticed that mobile devices come with cameras. However, neither fingerprints nor selfies sound attractive. Biometrics like fingerprints and face recognition operated together with a password by OR/disjunction (as in the case of Apple’s Touch ID) would lower the security than when only a password is used. As for selfies, how would it be possible to use the selfies as an alternative to the password (shared secrets) when our faces are very often exposed with our identity on the network?