Jump to content

FACE Passwords?!? Are you insane?!


Starwhip

What do you think?  

81 members have voted

  1. 1. What do you think?



Recommended Posts

I just saw some Intel commercial that showcased face recognition "passwords".

Could you get any less secure? I mean, some stranger could just hold up a picture from your Facebook page and log into your device.

My conclusion is that the people developing software are idiots who don't know anything about security, and are sacrificing other people's security for the sake of "coolness."

On another note, the people who use this are also idiots... I hope there's some security scandal and the public goes back to "secure" character passwords, though there is always a way around any security measure.

Link to comment
Share on other sites

This is one of the major misconceptions about using biometrics in security, I can't remember the proper phrase, but it boils down to this;

For security, you need something that identifies you (username, fingerprint, face recog, whatever), this doesn't necessarily have to be secret.

You also need something *secret* that only you know, such as a password. Many people think that a fingerprint/faceprint is a password, it isn't!

Link to comment
Share on other sites

I would assume that a facial recognition-based credential system would at least also consider the 3D contour of the face (via structured lighting or something similar), such that the system could easily disregard "flat" photographs.

Link to comment
Share on other sites

Fingerprints are definitely less "secure" as they can't be changed, yes, but not *everyone* has access to your fingerprints, while the ENTIRE INTERNET could possibly get a picture of your face.

Provided you actually use your face. I'd use a book or something. :D

Link to comment
Share on other sites

This is one of the major misconceptions about using biometrics in security, I can't remember the proper phrase, but it boils down to this;

For security, you need something that identifies you (username, fingerprint, face recog, whatever), this doesn't necessarily have to be secret.

You also need something *secret* that only you know, such as a password. Many people think that a fingerprint/faceprint is a password, it isn't!

Indeed. Something you Are, something you Have, and something you Know.

So if someone steals your credit card number, they also need your face to actually use it.

Link to comment
Share on other sites

MartGonzo has a good point, you can't change your biometrics information if it's stole like a password and they will eventually find a way to fake it.

I can see facial biometrics being useful for automatically configuring personal user settings on things like desktops by just setting in front of it, but I don't think it's worth the lose of personal freedom.

I could be wrong, but at some point I think there will be a backlash about privacy issues.

Link to comment
Share on other sites

That's why biometric scanners work best when accompanied by a guard to discourage trying to fool the system. However, assuming passwords are secure is also not right; people tend to pick really, really awful passwords, and you literally cannot force people to pick good passwords (password complexity rules don't actually work to keep passwords secure, and if you make the rules too strict people will just write down the password). In contrast, biometrics can be awfully convenient, which means that people are more likely to use security features in the first place. For instance, while an iPhone fingerprint sensor can be fooled, you're more secure with a fingerprint lock that you use than a passcode that you don't use. Biometrics, when well-implemented, happen to be quite a bit more convenient than other schemes. They have limits, but for a lot of users they provide enough security for the user's needs without being too annoying for the user to actually use.

For if it's stolen: That's really mostly a concern when it's deployed over an untrusted network. Biometrics with untrusted sensors degrades into "something you know," which is where it's really practical to duplicate. It's not practical to duplicate "something you are" and likely won't be for a very long time; attacks by lifting fingerprints or using a photo rely on sensors that don't fully verify that it's an actual human they're sensing. Proper biometric sensors have a lot of effort put into making them hard to fool by presenting something that's not a live person; that's what the guard is for in "guard+biometric" systems, but people are working on technological solutions. The actual way to implement biometrics is to have an entirely closed system containing both identifying data and the actual sensor; the sensor absolutely has to be trusted. This system would then output whatever it needs to (e.g. a password, cryptographic key, token, that sort of thing, or it could do something like sign data only when it gets the right input). The point is, the actual fingerprint data is only handled by the closed system, which makes it work against any attacker not disassembling the sensor.

Edited by cpast
Link to comment
Share on other sites

I wonder if it would be better to give people physical keys like a flashcard with a heavily encrypted pass code, maybe something that automatically changes each time you use it.

Something with half the code on the key and the other half on a central computer.

A person would need to steal both halves to break the encryption.

The person using it only needs to memorize a seven digit alphanumeric code to use the key, so not any longer than a phone number.

Then issue out a new one every six to twelve months. I get a new insurance card every six months.

Nothing is foolproof, but it might be easier to get new keys and passwords than a high end biometrics system.

Link to comment
Share on other sites

I can see police investigations being compromised if biometrics become widespread. The concept of someone else maliciously duplicating and spreading your fingerprints becomes more and more likely as they are collected, stored and used in more and more places. Even implementations with the best intentions can have some flaw that would facilitate this.

Seeing how much trouble people already have when they are victim of identity theft - people have been left financially and socially ruined simply because someone else used their name - this sounds like a venerable nightmare to me.

Link to comment
Share on other sites

you can make it so that a 2d image would not be allowed as the password and that you needed to have either a full color 3d model or the subject with you

Judging by the excecution of some projects like this, while that would be possible, but it is a very different question of whether it will work and work well. It might also be the case, that perhaps a photo does not fool it, but a person of close enoguh skin color and face structure could just login easily, or that the owner has to hold it in front of their head twenty seconds while it refuses them.

Link to comment
Share on other sites

That's why biometric scanners work best when accompanied by a guard to discourage trying to fool the system. However, assuming passwords are secure is also not right; people tend to pick really, really awful passwords, and you literally cannot force people to pick good passwords (password complexity rules don't actually work to keep passwords secure, and if you make the rules too strict people will just write down the password). In contrast, biometrics can be awfully convenient, which means that people are more likely to use security features in the first place. For instance, while an iPhone fingerprint sensor can be fooled, you're more secure with a fingerprint lock that you use than a passcode that you don't use. Biometrics, when well-implemented, happen to be quite a bit more convenient than other schemes. They have limits, but for a lot of users they provide enough security for the user's needs without being too annoying for the user to actually use.

This is assuming that any attempts to measure things that indicate it's a real person - skin conductivity, heat, etc - actually work. Mythbusters tested a biometric scanner that supposedly had fancy checks for these kinds of details in a spy special - it was actually more easily fooled than the cheaper ones that just looked at the fingerprint pattern. The fancy one was happy with a printed image pressed up with a thumb, the cheap ones required a prosthetic with the fingerprint pattern physically shaped into it.

Link to comment
Share on other sites

MartGonzo has a good point, you can't change your biometrics information if it's stole like a password and they will eventually find a way to fake it.

I can see facial biometrics being useful for automatically configuring personal user settings on things like desktops by just setting in front of it, but I don't think it's worth the lose of personal freedom.

I could be wrong, but at some point I think there will be a backlash about privacy issues.

Yes, its nice for user configuration, its also an second layer of security, you can bypass it but it require work.

Link to comment
Share on other sites

On home or work PCs, biometrics are usually enough to keep the kids or casual co-workers out of your PC.

I wouldn't use them for credit card info or for websites other than in a dual identification method combined with a password or pin code.

Maybe in the future, we will get fingerprint sensor keyboards, which would check both the password and the biometric data.

There are some interesting new methods that are coming up too, like the "pattern" password on Windows 8 (you swipe or click gestures on the lock screen picture), or rythm-tap passwords. They seem to offer a decent level of security while being faster than typing passwords.

Link to comment
Share on other sites

That and fingerprint has been around for a while. On their own, they are pretty insecure, though when used in combination with other security measure, they add additional layers that may stall an intruder long enough for security to notice.

That said, really advanced biometric system can differentiate between an inanimate object and a person, because they are capable for deeper scan for other things that are very hard to fake, like veins under the skin using infrared scan (it is even capable of detecting blood flow in said veins, so cutting someone's hand off to use it later to bypass biometric locks like in the movies won't work). Though that is very unlikely to be installed on a computer. And it cost a ton.

For home use, a password is still the most efficient method for security. I think most home computer biometric systems are also recommended to be used along with a password, instead of being used by themselves for enhanced security. But most people just choose to use the biometric systems for convenience, trading off their security.

Edited by RainDreamer
Link to comment
Share on other sites

some stranger could just hold up a picture from your Facebook page and log into your device.

This could be solved by asking the user to perform an action in front of the camera. Like a wink or a nod.

The even bigger problem is privacy. These devices have the camera on (in case the user wants to log in) all the time. Even when not in use.

Link to comment
Share on other sites

It's fine for personal computers. Like my PC doesn't need a password. I'm the only one who has physical acces to the thing anyway, and there's no sensitive information on it (and I turn it off when I'm not using it, so you can't get in remotly either).

The only reason I have for a password on my PC would be to keep the people I live out of my 'photo collection'. But that's not worth the hassle. If I could just smile at the webcam and unlock it that way, it might be worth the hassle

And for real security, it'd be great as suplement to a password. Something that doesn't require any effort to remember from the legitimate owner, but is still an extra hurdle for criminals is always good

Edited by Sirrobert
Link to comment
Share on other sites

For home use, a password is still the most efficient method for security. I think most home computer biometric systems are also recommended to be used along with a password, instead of being used by themselves for enhanced security. But most people just choose to use the biometric systems for convenience, trading off their security.

But what's the alternative? If someone chooses biometrics alone for convenience, their alternative was likely either a really weak password or no password at all. The real benefit of more convenient things that aren't as secure is that they mean more people will use some security at all rather than almost none.

Link to comment
Share on other sites

Why people worry about this is beyond me. Has everyone forgotten the fingerprint readers on keyboards and as standalone devices?

Those things didn't stick or become anything more than a fun gadget.

I remember those! I used to have one on my old laptop, but it never worked "as advertised." It is scary how lenient we are getting on security.

Link to comment
Share on other sites

I can see police investigations being compromised if biometrics become widespread. The concept of someone else maliciously duplicating and spreading your fingerprints becomes more and more likely as they are collected, stored and used in more and more places. Even implementations with the best intentions can have some flaw that would facilitate this.
Usually a fingerprint isn't enough to proof that someone did something criminal. There must always be a chain of proofs which fits the chain of events at a crime scene.
There are some interesting new methods that are coming up too, like the "pattern" password on Windows 8 (you swipe or click gestures on the lock screen picture), or rythm-tap passwords. They seem to offer a decent level of security while being faster than typing passwords.
They are as insecure as fingerprints. People tend to choose the same gestures for the same picture. If it shows three mountain tops, the chance is very high tapping the tops or swiping the cliffs will unlock the PC.
It is scary how lenient we are getting on security.

There is always the trade-off between convenience and security. You can't get one without sacrificing the other.

In my opinion every protection based on biometrics is easy to fool. You'll usually only need a photo (for optical recognition) and some kind of "figurine" (to imitate a 3D object and being "alive") to get past it.

Link to comment
Share on other sites

This thread is quite old. Please consider starting a new thread rather than reviving this one.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...