passwords – Welcome to Vahe Amirbekian's (non)Professional Blog

Why face recognition as a way to replace passwords will remain a fantasy

Replacing much hated (yet resilient) passwords with face recognition-based authentication has been a cool idea of ‘how things will work tomorrow’ – yet ‘tomorrow’ in terms of massive adoption never really happened. Some may argue that the stars – were not really aligned till now, but may be aligned very soon. Indeed, facial recognition methodology (naturally) keeps getting better. User-facing cameras (which just several years ago were limited to PCs equipped with an extra webcam) are now getting increasingly omnipresent – from laptops to tablets to smartphones. And the pain of remembering passwords keeps getting worse. The idea is pursued by variety of smaller companies like KeyLemon or Sensible Vision, and face recognition features even made it into Android mobile OS. Moreover, as recently as last month no one else but formidable Jack Ma demonstrated how Alipay may allow payment authorization exclusively via user’s face recognition.

So… tomorrow of “authorize with a ‘faceprint’” is finally happening? I venture a prediction that it will never graduate from a cool concept to widely acceptable practice. I can mention at least two reasons why:

As with any other authentication mechanisms, it’s going to be a cat-and-mouse game – the authentication technology will get better only to be defeated by ever-creative fraudsters. In cases when the attackers are inherently capable of moving faster than the defense, the ‘cat’ is kind of doomed. We could reach a point – just like it happened with captcha – when building more defenses may become unfeasible. How does it apply to the face recognition domain? The weakness of using face recognition for authentication purposes is nothing new – e.g. these guys nailed it back in 2009. True, the recognition software improved a lot since then, and some interesting ideas like detecting moving eyeball or blinks may offer a chance, but then again attacking these defenses to fool the software into false positives is becoming cheaper on a faster pace (3D printed masks, colored lenses, video-generated images?).
Any change in consumer behavior on a massive scale would need a push from a very large player interested in making money on it – such as Apple (case in point: mobile payments). Apple is hardly going to do it though, as its newest devices already have fingerprint readers. While fingerprints arguably suffer from the same issues, they are much more resilient biometrics – fingerprints are way harder to obtain than pictures of the potential victims (even taking this claim into account). Moreover, if we combine this observation with dropping price of fingerprint readers, envisioning even cheaper devices having one in near future is easier than imagining face recognition used as main biometrics to identify the end users. In addition, cameras can be used to scan your fingerprints instead of your taking a picture of your face. There’s little evidence that other large companies would have enough incentives to go against this trend.

Having said that I can see how ‘faceprint’ can be used as one of choices of a biometric 2nd factor, or in some physical stores which would like to appear futuristic to its customers. Maybe even some airports. Wide adoption however may remain as ‘the cool feature of tomorrow’.

In case you needed more evidence…

…that we are either too simple-minded, ignorant or just plain lazy to care about our own security – here’s another example.

It’s a well-known phenomena that people tend to choose simplicity over security when selecting their passcodes – from internet passwords to iPhone PINs.

I have an improvised “research” of my own. Here’s how it works – my local gym provides mini lockers for the members to put their valuables in – car keys, wallets, cellphones etc. The lockers are based on three digit (rolling 0..9) codes. The member first dials a combination of three digits, then turns the door’s knob, and finally scrambles the combination so that it is locked. Unfortunately, way too many of them forget about scrambling the code after they take their valuables out and leave. How do I know that? I am just guessing from quickly browsing the combinations of all the open locks. The recurrent observation: in 3 out of 4 cases the combination is something extremely easy to remember – either A,A,A (where A is the same digit) or A,A+1,A+2. I could bet their smartphone pins are probably very similar, too (if I only could verify that hypothesis 😉 ).

Now, the gym I am a lucky member of is frequented by upper-middle class (it’s enough to look at its parking lot to estimate the average income of the fitness fans), young and middle-age professionals who are supposed to be more intelligent and open-minded than the average Joe is. Yet, not only they fail to come out with a pin which is slightly more sophisticated than a 5-year-old would think of, they also are careless enough to leave it “open to public” after they used the locker.

Not that you’ll find it particularly shocking anyways…

Password Haystacks

In recent months the “dead horse” of password-based authentication got some new life in the form of so-called ‘password haystacks‘. An approach introduced by well-known security expert (and one of my favorite gurus) Steve Gibson relies on the knowledge of the logic used by password brute force attackers. In essence the attackers – after trying a list of well-known passwords (“password”, “123456”, “cat” etc.), their variations (“pa$$w0rd”) and finally plain dictionary – switch to ‘pure guessing’ when arbitrary combination of alphanumeric characters and some special signs is generated and tried methodically until the password is guessed. Hence the “brute force” nature of the attack. So far the best prescription for passwords was to make them both random and very long – an advise routinely ignored by the users community as it made such passwords extremely hard for humans to remember. What Steve came out with is that passwords with similarly high “strength” (i.e. resistance to guessing) could be created by artificially increasing their length (each added character increases time needed to crack it exponentially) and the space of characters used in them (the bigger variety of small, capital case, number and special characters is used the more combinations are possible – again drastically increasing the cracking time) by, say, prepending or appending some easy-to-remember “padding” to passwords. For example, ‘000Johny000’ is infinitely harder to brute force than ‘johny’ – yet it requires comparable effort for humans to remember them. Makes perfect sense – you come out with your own secret “padding” pattern, and use it to enhance your simple but consequently easy-to-guess passwords. Once enhanced such passwords are both easy to remember and hard to crack (get more detailed explanation from the source here). Sounds like a perfect solution, huh?

Up to the point. While the “haystack” approach certainly adds to the password-based security – it is hardly the end of the game. Like anything else in security, password attacks are never ending cat-and-mouse game between the ‘locks’ and the ‘keys’. Thus it’s a matter of time till fraudsters update their password guessing algorithms/tools to check ‘popular padding’ patterns first before switching to ‘pure brute forcing’. Not to mention the possibility of ‘leaking’ your password in some other way (e.g. through phishing site) thus revealing the “secret sauce” of all your strong passwords – the “padding pattern” – to the attackers.

At the end of the day, as often mentioned in the past, passwords as viable protection mechanism are pretty much dead (mostly). Indeed, other approaches like multi-factor authentication have no real alternatives no matter what clever way we come out to make our passwords less guessable.

Passwords are passé

It’s clear. Authenticating users via passwords is hopelessly outdated – the sooner online businesses (who are serious about keeping their customers safe) understand this the better. Security questions are of no substantial help – they just put some short-lived life support on dying passwords. IP/cookie check on server side (if any exists, of course) helps, but only incrementally, as there are know workarounds actively used by fraudster community. The only – as of today – viable improvement qualitatively raising the bar is 2FA.

Many would say – 2FA might be an overkill for most of our online authentication needs. Well, I could definitely argue with this statement – at least in 90% of cases. For example, our email box contains extremely valuable information about us – allowing identity theft, great for waging a spear attack or simply allowing to learn about your immediate plans to conduct “brick and mortar” theft. Not to mention social network accounts – they are remarkable in keeping comprehensive log about their owners – contacts, friends, photos, status, communication – all in one place! In other words – the wet dream for a whole line of businesses – illegal as well as legal ones. And what – a pathetic password being a single key to this wealth of information? Hell, no!

That said 2FA is far from being bulletproof (e.g. it’s susceptible to particular type of client-site attack). However, there’s little doubt that 2FA is the next major step in securing users identities online, and that will be the direction the industry will move towards (and finally quit trying to find a cheap alternative) in the next several years.