Tag: 2fa

Why face recognition as a way to replace passwords will remain a fantasy

faceprintReplacing much hated (yet resilient) passwords with face recognition-based authentication has been a cool idea of ‘how things will work tomorrow’ – yet ‘tomorrow’ in terms of massive adoption never really happened. Some may argue that the stars – were not really aligned till now, but may be aligned very soon. Indeed, facial recognition methodology (naturally) keeps getting better. User-facing cameras (which just several years ago were limited to PCs equipped with an extra webcam) are now getting increasingly omnipresent – from laptops to tablets to smartphones. And the pain of remembering passwords keeps getting worse. The idea is pursued by variety of smaller companies like KeyLemon or Sensible Vision, and face recognition features even made it into Android mobile OS. Moreover, as recently as last month no one else but formidable Jack Ma demonstrated how Alipay may allow payment authorization exclusively via user’s face recognition.

So… tomorrow of “authorize with a ‘faceprint’” is finally happening? I venture a prediction that it will never graduate from a cool concept to widely acceptable practice. I can mention at least two reasons why:

  • As with any other authentication mechanisms, it’s going to be a cat-and-mouse game – the authentication technology will get better only to be defeated by ever-creative fraudsters. In cases when the attackers are inherently capable of moving faster than the defense, the ‘cat’ is kind of doomed. We could reach a point – just like it happened with captcha – when building more defenses may become unfeasible. How does it apply to the face recognition domain? The weakness of using face recognition for authentication purposes is nothing new – e.g. these guys nailed it back in 2009. True, the recognition software improved a lot since then, and some interesting ideas like detecting moving eyeball or blinks may offer a chance, but then again attacking these defenses to fool the software into false positives is becoming cheaper on a faster pace (3D printed masks, colored lenses, video-generated images?).
  • Any change in consumer behavior on a massive scale would need a push from a very large player interested in making money on it – such as Apple (case in point: mobile payments). Apple is hardly going to do it though, as its newest devices already have fingerprint readers. While fingerprints arguably suffer from the same issues, they are much more resilient biometrics – fingerprints are way harder to obtain than pictures of the potential victims (even taking this claim into account). Moreover, if we combine this observation with dropping price of fingerprint readers, envisioning even cheaper devices having one in near future is easier than imagining face recognition used as main biometrics to identify the end users. In addition, cameras can be used to scan your fingerprints instead of your taking a picture of your face. There’s little evidence that other large companies would have enough incentives to go against this trend.

Having said that I can see how ‘faceprint’ can be used as one of choices of a biometric 2nd factor, or in some physical stores which would like to appear futuristic to its customers. Maybe even some airports. Wide adoption however may remain as ‘the cool feature of tomorrow’.

Online Identity services – an emerging new business model?

Every time I visit one of financial institutions’ websites I happen to be client of, I am daunted by the hops I need to go through (neither of which is really unstoppable from the fraudsters standpoint) to login to my account. It’s obvious that serious businesses are trying to counter account takeovers and each is doing that in its own way – possibly spending lots of money on something which is not its core expertise. Countered by fraudsters for whom it actually is the core expertise, these businesses seem to be doomed to continue investing lots of resources on online identity management with only a modest success.

Needless to say, the online identity is becoming a big issue. Little wonder – whole chunks of our daily life – including very personal fields like romance and friendship – is being absorbed by the Net. In all the mess one thing stands out – acute need of a better identification. A need which itself may warrant a separate industry – call it online identity services. I do not mean anything ominous (“I’ve got lightly used identity of Judd Law! Anybody?”) – just satisfying a legitimate need of identifying people online – like an online bank needing to make sure person logging into their website is the actual account holder. Today it’s moving from traditional password-based identification (see my earlier post) to more sophisticated multi-layered mechanisms (some less efficient than others) – pictures, personal questions, 2FA tools etc. It is becoming more costly to develop and maintain, hence it would make a lot of sense to delegate this headache to a company which actually specializes in online identification. In that case the bank just needs to redirect the login to the company’s page (for non-technical user that could be quite seamless, e.g. by putting the bank’s logo to the site it redirects to or do it in a iframe), let it do all the dirty work, and return the user to the bank’s page with full guarantee (covered by the third party) that the user is authenticated. Just like PayPal handles all the payment and gets back to the merchant with guaranteed payment, the ‘identity merchant’ would come back with ‘successful login’. Now, the ‘services’ may charge per login or per month or per user – details will depend on particular business model. Such services may even offer multiple types of support – the spectrum would include periodic user screening (e.g. verifying the phone), sending 2FA tokens, sending SMS-es, in short focus on linking the physical identity with cyber one.

Now, I am not saying this has never occurred to anybody else – the Open ID concept is similar one. Too bad it didn’t really take off. My take is – people who care about this most (online banks, for example) are inherently distrustful to anything free or open source. And that serious identity management needs serious resources – to screen, to support 2FA tokens etc. Microsoft passport probably was ahead of its time. PayPal could use its clout to add “identity management” to its portfolio, or better yet Facebook could do that (the model of your identity being vetted by your friends is quite powerful), too. However, either of these companies have their hands in many jars, and the last thing a bank wants is to divulge its user base to some 3rd party who can turn out to be a competitor. My take is – in order to succeed, these services should be very specific – commercial, stand-alone, not engaged in any other type of business, but solely focused on online identity and committed by binding agreements to not to use the information for any other purposes. Naturally, there needs to be safeguards that each client’s (bank’s) user data is secure and stays its property even if login is supported by the third-party.

Perhaps there are such companies, I admit I didn’t do much research here, but even if there are – it’s anything but a mature industry. I wonder if it will ever become one.

Passwords are passé

It’s clear. Authenticating users via passwords is hopelessly outdated – the sooner online businesses (who are serious about keeping their customers safe) understand this the better. Security questions are of no substantial help – they just put some short-lived life support on dying passwords. IP/cookie check on server side (if any exists, of course) helps, but only incrementally, as there are know workarounds actively used by fraudster community. The only – as of today – viable improvement qualitatively raising the bar is 2FA.

Many would say – 2FA might be an overkill for most of our online authentication needs. Well, I could definitely argue with this statement – at least in 90% of cases. For example, our email box contains extremely valuable information about us – allowing identity theft, great for waging a spear attack or simply allowing to learn about your immediate plans to conduct “brick and mortar” theft. Not to mention social network accounts – they are remarkable in keeping comprehensive log about their owners – contacts, friends, photos, status, communication – all in one place! In other words – the wet dream for a whole line of businesses – illegal as well as legal ones. And what – a pathetic password being a single key to this wealth of information? Hell, no!

That said 2FA is far from being bulletproof (e.g. it’s susceptible to particular type of client-site attack). However, there’s little doubt that 2FA is the next major step in securing users identities online, and that will be the direction the industry will move towards (and finally quit trying to find a cheap alternative) in the next several years.