back to article Forget passwords, let's use SELFIES, says Obama's cyber tsar

US cyber security tsar Michael Daniel wants passwords to die in a fire and be replaced by other mechanisms, including selfies. In an interview with the Christian Science Monitor Daniel said the death of passwords could signal a useful purpose for the much-beleaguered selfie. "Frankly I would really love to kill the password …

  1. Anonymous Coward
    Black Helicopters

    Nothing sinister here

    We obviously need a decent enough photo of you for the security to be strong.

    Retinal scans can also help, maybe even a bit of DNA, in fact you guys spitting at the cameras in the lifts, thanks.

    1. Anonymous Coward
      Anonymous Coward

      Re: Nothing sinister here

      AFAIK, the collection of facial biometrics is an integral part of both Google and Facebook, with Google coming up with the idea of outsourcing the analytics to the users (Picasa users appear to do a lot of pre-processing).

      In this context, Apple is not on the side of privacy either - iPhoto automatically builds a database of facial biometrics without any ability to disable it (although you can find instructions online how to nuke the database), and the use of Siri has as nice side effect that you send a pristine digital voiceprint to a server in the US which is IMHO not a good move.

      For those who think that I'm leaving out Apple's fingerprint system on iPhones: no - that only creates a hash value. The FP itself doesn't travel (the sensor is AFAIK a bit too primitive anyway), but that could of course change too. I'd be more worried about Android machines with fingerprint scanning abilities (not to mention Windows phones, but prints from those 4 users would not really be a "volume" grab of data :).

  2. Anonymous Coward
    Anonymous Coward

    "Feed our face-recognition database".

  3. Pete 2 Silver badge

    Cut'n'paste

    > you could use the camera on cell phones ... [ to use a photograph instead of a password ]

    So instead of a baddie having to guess what random or obvious string of letters and numbers you use to gain access to all of your luvverly data, they would now just need a photo of your fizzog? What then - just print it out, life-size, cut off the background, paste it to a stick and hold it up for verification and access. Worse still, what are you supposed to do if there's someone who looks suffciently like you to pass "your" face recognition test - grow a moustache? (and how do you change your face if the security database is hacked?)

    In a similar vein, we are also told that more entities are starting to use voice-prints as a means of verifying a person's identity. Pardon my stupidity, but "stealing" that merely involves phoning a person up and getting them to say a pre-set word or phrase, while recording the phone. Sounds even worse!

    Thanks, but I'll stick with information that isn't freely available to anyone with a mobile phone - for them to take with neither my permission nor knowledge.

    1. Charles 9

      Re: Cut'n'paste

      Those same cameras can also detect infrared, which is why camera heart rate monitors work (perhaps not too accurately, but interesting nonetheless). If the face checker also checks for a facial pulse (which a paper mask would likely obstruct), then it would be more difficult to fake.

      1. Anonymous Coward
        Anonymous Coward

        Re: Cut'n'paste

        Personally, I would rather rely on a password than have my risk of kidnapping at gunpoint increased.

        Mind you, then you have torture as the main face to face method...then once they have tortured your password out of you, then then can kill you. BUt thinking about it, they should keep you alive in case you lied, got confused under duress. In which case it still is a preferred method, because then they will have to come back so you are alive longer. But then if you are at gunpoint in a public place to show your face then you may, *may* have a better chance of escape.

        Oh what to do, what to do.

        Screw it - HEY EVERYONE - MY PASSWORD IS D0UGL4SAD4M5!

        Sorted.

      2. herman

        Re: Cut'n'paste

        "more difficult" - You think so? Pretty simple to fake and every time I successfully faked it, you would have to go for plastic surgery to change your face. That would get tiring rather quickly I'd think.

        1. Charles 9

          Re: Cut'n'paste

          Pretty simple to fake an infrared face pulse while still fooling a selfie cam lock? Kindly demonstrate...

          1. Anonymous Coward
            Anonymous Coward

            Re: Cut'n'paste

            Infrared sees through paper, so all you ahve to do is hold up the mask in front of your own face....

      3. Anonymous Coward
        Anonymous Coward

        Re: Cut'n'paste

        Ok so paper mask and some ir leds or just a pulse controlled heat map behind...

      4. Anonymous Coward
        Anonymous Coward

        Re: Cut'n'paste

        Those same cameras can also detect infrared, which is why camera heart rate monitors work (perhaps not too accurately, but interesting nonetheless)

        Nope. Heart rate detection works on delta detection of the red channel, no need for *infra* red. If I recall correctly, there is a Philips Health app for iThings that does heart rate and breathing frequency detection, and newer iPhones have IR filtered out as it apparently can mess up pictures.

        1. Charles 9

          Re: Cut'n'paste

          Point is the camera can detect things not normally visible to the naked eye, and these camera CAN and DO capture infrared since they can see the infrared emitted from remote controls and the like. Removing the IR either takes a filter layer or software post-processing.

          The point being that while one biometric can be fooled, if the system can simultaneously check for several different biometrics (check for a pulse, moving eyes in the right color, breath, voiceprinting, et al) as well as create dynamic tests that thwart preimaging (asking for a blink, an answer to a simple generated question, etc), then it should be possible to take "faking it" past the practical limit for most adversaries. And you might be able to deal with the gun-to-the-head scenario (which will exist regardless) with a duress sequence: one that not only alerts authorities but also releases traceable dummy data, making it seem you're letting them in.

        2. Vic

          Re: Cut'n'paste

          Nope. Heart rate detection works on delta detection of the red channel, no need for *infra* red

          It's also notoriously sensitive to things like skin temperature (i.e. blood perfusion). So you won't get into the phone at all if you're out in the cold. And $deity only knows what it will do with someone who's a bit flushed after running for the bus...

          newer iPhones have IR filtered out as it apparently can mess up pictures.

          ISTR a bit of a scandal a few years back, where camcorders were showing people in their underwear on account of being overly-sensitive to IR. AIUI, that has led to IR filters being fitted on most cameras these days.

          Vic.

    2. Hollerith 1

      Re: Cut'n'paste

      I am sure El Reg's female readership is game to try to moustache route.

    3. Robert Helpmann??
      Childcatcher

      Re: Cut'n'paste

      Pete 2, you bring up several good points. I don't think any security system that can be defeated by a simple photo or 3D print of someone should be considered fit for purpose. As far as voice recognition, there are several ways to take into account the hack you describe. A simple way would be to have a quick Q&A between the person and the system. Both voice and content could be analyzed. Too-perfect matches should be counted as an attack, so if you ask the person for the same word in two different contexts and the response is detected to be identical, then the system should "know" it is being hacked.

      I think the way to go for a reasonable amount of security for system access involves simultaneous, multiple checks. They should be as transparent as possible to the user. Any one method can be defeated. Adding layers and making them simultaneous should greatly increase the difficulty in doing so.

      1. Mike Bell
        Terminator

        Re: Cut'n'paste

        @Q&A:

        Hey Janelle, what's wrong with Wolfie? I can hear him barking. Is he all right?

      2. Charles 9

        Re: Cut'n'paste

        That's one reason I suggested checking both for image and for infrared pulse (something phone cams can already do). Two simultaneous checks which when combined can be trickier to defeat. Since humans can't see infrared naturally, you can make it so that it's difficult to fake a face pulse, especially if it's taking a full infrared image that wouldn't be readily fooled by LEDs (which would emit hot spots). Combine this with a motion-based match (make the subject randomly wink or blink or open the mouth--this would stop the photograph--as well as check for the actual pulse to thwart steady-state infrared emitters) and you can get something that has a decent expectation of an actual, live face.

    4. Robert E A Harvey

      Re: Cut'n'paste

      I remember Clarkson driving around in a Bill Oddie mask.

      I can see the obvious flaws.

    5. Michael Wojcik Silver badge

      Re: Cut'n'paste

      There are plenty of good arguments from actual security researchers (Daniel is not one) against making biometrics the default for authentication. While not all facial-recognition systems can be fooled this easily, certainly the potential for forged credentials is among them.

  4. dubno

    BZZT.. wrong answer.

    Someone doesn't understand the difference between identification and authentication.

    Whilst biometric data could be used as an identification method (and as noted in other comments, easily copied) there is no way that it is vaguely suitable for authentication.

    1. DropBear
      Facepalm

      Re: BZZT.. wrong answer.

      Indeed. Can we please finally take the idea of using ANY biometrics for authentication behind the shed and put it out of its misery? Pretty please? With a cherry on top...?

  5. returnmyjedi

    It'll still wouldn't be completely secure. That pretty robot in the Alien film where the acidic ones did breaststroke managed to overcome a security system using an individual's breath, so just think how easy this would be for the likes of Odo and David Bowie's missus to circumvent.

    1. Michael Wojcik Silver badge

      Nothing is "completely secure". The phrase is meaningless.

      Biometric identification isn't even vaguely secure, under most reasonable threat models.

  6. JimmyPage Silver badge
    FAIL

    *Cyber* security tsar ?

    ...who doesn't seem to know that face-recognition unlock is a standard Android offering ?

  7. Anonymous Coward
    Anonymous Coward

    Passwords work AND are easy.

    As long as you do it right for both choosing your password and the method of transmitting, storing and verification.

    All it needs is a little education on how to choose passwords both for remembering them in future and being relatively hard to crack.

    1. Paul Crawford Silver badge

      Re: Passwords work AND are easy.

      Indeed!

      Apart from those using "12345" or similar, just how many attacks actually guess a user's password compared to re-using a stolen password database?

      I think those are the real problems:

      (1) password re-use and;

      (2) insecure sites storing passwords in plain-text or unsalted hashes.

      Changing to a photo, etc, will make bugger-all difference to that, and once the bad guys have a copy, how do you change it?

      1. Anonymous Coward
        Anonymous Coward

        Re: Passwords work AND are easy.

        How about (3) sheer numbers? Are we expecting the average computer user to be able to correctly and arbitrarily recall any of hundreds of different pass phrases in any given day without suffering serious recall errors?

  8. Anonymous Coward
    WTF?

    Access required?

    Hey, what bargain basement did they get this Tsar from? And I'm being intentionally pejorative. Absolutely no understanding of the topic (any kind of security process), technologies, strengths and weaknesses, .... Downright frightening if he has legislative/regulatory influence. You (Tsar/TLA) can insist all you want that you should have lawful access to my encrypted devices but you won't get it here. [It's still up in the air about forced release of a personal encryption code in the States.] Meanwhile, I'll stick to my passwords from Hell for the Secret stuff. [And as the Classifying Officer, I get to decide about time and place of declassification. of said Secret stuff.]

    No Such Agency used to have me fix there stuff when they couldn't. Sheesh.

    1. Michael Wojcik Silver badge

      Re: Access required?

      Robert M Lee has a good piece in Forbes online arguing why a non-technical "Cybersecurity Coordinator" (apparently Daniel's actual title) is a bad idea. Even if you agree on principle (as it seems most or all the commentators here do), it's worth a quick read.

      As usual, we see that IT-security pronouncements from people who aren't security researchers aren't worth the bits they're encoded with. Schneier was explaining to non-technical audiences why biometrics weren't a silver bullet a decade ago. Looks like the Powers That Be still haven't caught on (or, as a number of people here have suggested, have - but of course they don't have users' interests in mind).

  9. Anonymous Coward
    FAIL

    2 things

    1. This "Tsar" uses an iPhone, otherwise he will be aware of the Android feature.

    2. I'm all for the selfie, but only if the mandatory selfie is a pennis or a vagina.

    1. DropBear
      Trollface

      Re: 2 things

      2: that would do absolute wonders for social life in pubs, whether it has one effect on phone usage or the exact opposite...

      1. Extra spicey vindaloo
        Thumb Up

        Re: 2 things

        I'm going to invest in Kilt manufacturers..

    2. petur
      FAIL

      Re: 2 things

      "1. This "Tsar" uses an iPhone, otherwise he will be aware of the Android feature."

      And he certainly isn't using a Nexus 7, because Face Unlock has been broken on it for many months now, with not even an acknowledgement from Google....

    3. Hollerith 1

      Re: 2 things

      Hi boys and girls. Your task, on this first day of primary school, is to ensure security! Now we are all taking out our mobile phones and...

  10. Zack Mollusc

    Works a treat!

    I have been testing this system all morning, it is more straightforward than it sounds.

    Example: You want to ssh into the server

    1. Type your name into the login prompt as usual.

    2. Take selfie

    3. Convert the selfie image to ascii art

    4. Copy-and-Paste the ascii art into the Password prompt.

    Simples!

    I do find that it takes more than one attempt to login but that just means more opportunity to take selfies, yay!

    1. petur

      Re: Works a treat!

      You would probably be kicked out(*) of my SSH server with those retries ;)

      (*) come back in an hour for your next 3 tries, unless I read the mail about it first

      1. Guus Leeuw

        Re: Works a treat!

        petur,

        That's rather weak, auto-unban after an hour...

        My system: You're stupid enough to get auto-banned after 3 failed attempts, you have to explain why you failed, what went wrong etc etc, before I manually unban your IP and un-deactivated your account...

        Just saying,

        Guus

  11. Anonymous Coward
    Anonymous Coward

    Photos don't work

    one of the Android face-unlock options is "live check" which requires the face in the frame to blink a few times.

    Now *theres* an idea ... face-recognition and a password in (literally) blinking morse code.

    I can smell the patent office coffee now ....

    1. petur

      Re: Photos don't work

      As if that 'blink' can't be faked with a picture.....

    2. Conrad Longmore

      Re: Photos don't work

      Oooh.. I hadn't noticed "live check" before. But otherwise it has been proven that you can unlock the device with a photograph..

  12. ukgnome
    Terminator

    Great Idea

    Now I have a use for all those 3D printed life-size faces.

    *it's best not to ask....

  13. Chris G

    Another cop

    Or something like one.

    Trying to tell us what he thinks is good for him is good for us.

  14. Pascal Monett Silver badge

    "moving gateways, ad-hoc networks"

    Oh yeah, let's make the Internet even more complicated so that the bright hackers can do what they want and leave Law Enforcement even more clueless. How exactly are you going to change a landline on-the-fly, pray tell ? It's IP may change or be spoofed, but the copper (or fibre for those lucky buggers that have it) is not going to change places, and can therefor be traced. I doubt there can be any way around that.

    As said before, if my password is stolen, I can change it. I can't change my face, or my hands, or my fingers.

    And please, please do NOT give the "selfie" any official role. THAT will be the End of Civilization As We Know It.

  15. monoculture

    "We don't want to have something that puts it utterly beyond the reach of law enforcement in the appropriate circumstances."

    Not sure how they would achieve this. They could build in some inherent weakness but what happens when someone else finds it? You could reserect key escrow idea but how many criminals / terrorists are going voluntarily hand over their keys. They will just find a way around it as they did with the clipper chip

    1. Anonymous Coward
      FAIL

      And there's your problem

      The word 'appropriate' may no longer be appropriate. By the way, does that word mean 'to take' or 'correct and proper?'

  16. mark 63 Silver badge

    (and how do you change your face if the security database is hacked?)

    i thnk you're missing the point

  17. mark 63 Silver badge

    torture and kidnapping

    I'm not buying the "Biometrics are bullshit because I'll get my eyes gouged out and my thumbs cut off" angle.

    This can still happen in order to exctract your password. The reason it dosent is because most of this sort of thing happens remotely.

    In fact assuming these bio check designers are thoughtful enough to require Alive thumbs and retinas or whatever , this might keep you alive longer .

    1. Anonymous Coward
      Anonymous Coward

      Re: torture and kidnapping

      Yeah, with only one finger and one eye.

    2. Diogenes

      Re: torture and kidnapping - bin done

      I remembered a case ...

      google malaysia car finger

      2nd result give this august site

      http://www.theregister.co.uk/2005/04/04/fingerprint_merc_chop/

  18. chivo243 Silver badge
    Joke

    Incredibles!

    The odd little costume designer in the Incredibles had a good system, password, handprint, retina and voice to protect her lab... Bring them all on at once!

  19. Death_Ninja

    Disposable endpoints

    Disposable endpoints is a good idea and used by certainly one very security conscious company I know of.

    The other ideas, not really relevant because if you users can find their way to the data sources, there has to be a mechanism for finding them automatically (shall I patent the idea I call "DNS" now?).

    The main source of attackers hooks into your network are the endpoints, they typically copy and emulate the legitimate user access paths hiding their access amongst perfectly normal traffic making abnormalities hard to detect.

    As with all security concepts, you have to balance security with usability, no point in having a very secure system that doesn't enable use.

  20. Frallan
    Coat

    What a tool!!!

    Having biometrics as a username - yes that is acceptable but as a password? NOOO!

    Situation 1: Someone has managed to copy your biometrics which are used as a password - how do you change it? Eye transplantation might be a though option so the off to the "switching fingerprints service" it is...

    Situation 2: Someone has managed to copy your biometrics somehow - this would then equal knowing your g-mail as this is usually connected to the account. There is still the password to pass before you can asume someones identity and after a few tries the account is locked.

    Therefore this dude who obviously has a very nourishing broccoli for brains should never be allowed close to a policymaker - such idiocy may be contagious!

    Getting my coat!

    /F

    1. Anonymous Coward
      Anonymous Coward

      Re: What a tool!!!

      You've hit on another problem. He IS a policymaker.

  21. Lamont Cranston
    FAIL

    "Your face has expired, and must be changed"

    What if I need to authenticate in the dark?

  22. Unicornpiss
    Alert

    Static routes...

    So we should give up on static addressing and routing? How will that work with legacy devices like printers, for example? It seems to me that this will also open new and more interesting methods of spoofing identities.

  23. ecofeco Silver badge

    They really don't have a clue, do they?

    The suits and inbred aristocracy really don't have a clue, do they?

  24. Henry Wertz 1 Gold badge

    US Cyber security tsar Michael Daniel is a numpty

    Sounds like US Cyber security tsar Michael Daniel is a numpty.

    Point 1:

    Face recognition instead of password -- my notebook and desktops don't have cameras. Facial recognition is complicated. The systems that use "points" will have less total information than a decent password. Finally, how is one supposed to rotate their password when the password is their face? If you get fuglified by an accident or age, are you then locked out of all your accounts?

    Point 2:

    "He went on to say that the use of encryption models seemingly designed to lock out law enforcement should allow for lawful access."

    Numpty deluxe; any useful encryption system doesn't have a way to allow "lawful access". If a crypto system has a backdoor, cryptologists can and will find it, making it worthless. See Clipper -- the feds swore up and down this thing would last decades, and it was fully cracked before the (very few, since nobody wants compromised encryption) products using Clipper even got on the market.

    Point 3:

    What's all this nonsense about "virtualised moving gateways" and so on? Sounds like nonsense to me; DHCP exists (meaning addresses and gateways are not fixed), and routers support dynamic routing protocols (routes are not fixed.) I actually think having everything kind of be even more dynamic like they seem to be vaguely suggesting would make it *easier* for attackers, the dynamic routing and addressing protocols would provide extra protocols to exploit to perhaps make your remote device appear to be on the local network, compared to a less dynamic setup.

  25. Jes.e

    I'm really surprised..

    No one has mentioned that Android has had this for some time (as well as a blink option so it knows it isn't looking at a photo).

    This breaks down the first time you use it in a not-daylight situation and you find it doesn't work as there is no front facing LED (they could use the screen.. hmmmm) and the front facing cameras are even worse than the back facing ones in dim lighting.

    Cool idea about using IR to check for a pulse BTW.

  26. Mike 137 Silver badge

    strange reasoning

    "We glue the wings on airplanes with evostick and they keep falling off, so let's abandon airplanes" - that's no sillier than this commonly repeated argument about passwords. We define them poorly and manage them worse (just for example, the last time I asked el Reg for a password refresh I was emailed my existing password in plain text), so they must be intrinsically crap.

    They don't have to be, were we to get our act together, but we're stuck in a sloppy mind set that will actually make any alternative authentication method pretty much equally open to abuse.

    Those who implement password controls must stop thoughtlessly repeating mantras ("special symbols and squirrel noises") and take notice of a vast and growing body of rigorous scientific research on both the psychology and technologies of authentication and breaches. The problems are actually much simpler than we have been led to believe, but require more effort and imagination that we have brought to them so far to solve.

    So no, passwords are not dead - they just need to be created and used intelligently with reference to the real world. Then they are just as good as any other authentication method in their own context.

  27. EJ

    Where was this?

    I saw this guy speak at a security conference in Albany NY this summer. He was as exciting and dynamic as moss. Might have punched things up a bit if he took the opportunity to mention this idea during his 25 minutes snoozefest on stage.

  28. Jin

    The problem is not the password but the text password

    Many people shout that the password is dead. The password could be killed only when there is an alternative to the password. Something belonging to the password (PIN, passphrase, etc) and something dependent on the password (ID federations, 2/multi-factor, etc) cannot be the alternative to the password. Neither can be something that has to be used together with the password (biometrics, auto-login, etc).

    At the root of the password problem is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

    It is nice for the cyber czar to have noticed that mobile devices come with cameras. However, neither fingerprints nor selfies sound attractive. Biometrics like fingerprints and face recognition operated together with a password by OR/disjunction (as in the case of Apple’s Touch ID) would lower the security than when only a password is used. As for selfies, how would it be possible to use the selfies as an alternative to the password (shared secrets) when our faces are very often exposed with our identity on the network?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon