By DRP; Cybersecurity Lab Engineer
For well over a decade there has been talking of the demise of the password. There have been multiple people in the industry who have claimed the password’s time is limited for years. Initially, the password had a vital role of securing access to various files, the user’s email account, etc. Without this, any number of people would have access to the data and information that in theory should have been private and confidential. Initially, the password’s composition convention was relatively basic.
This was basic and not very robust or creative. As time passed and the attacker’s realized this, the systems began to add complexity to the password’s format. This necessity was driven by potential issues. This addition assisted with mitigating the risk of access being compromised. As a bi-product or secondary effect, this also increased the amount of time required for a successful brute force attack.
As the password became more complex, the attackers have adjusted their methods to compensate for this. This cyclical relationship will continue. As this has been a relatively short-term fix, a new logging method has been in process. There have been many options researched, developed, and put in full and limited use. These have included retinal and iris scans, blood vessel locations in the hand and face, and various other methodologies. These have been met with various levels of success with the various uses. One of these authentication methods gaining more attention within the last year has been facial recognition.
The facial recognition software initially implemented algorithms which were rudimentary. These used non-advanced geometric models. These worked within the system to note the location of certain facial features from photographs or other data source. These could focus on the eyes, ears, nose, and mouth location. From the initial data points, the algorithm calculated the distances and subsequent ratios. Naturally, over time, this function evolved and improved. These now use mathematical representations and matching processes.
Initially, this was implemented for user validation and authentication. In most instances, this did work relatively well in most instances. In theory, this new and expanded application is safer than passwords. This is a step to address the need for improved security. The user is able to lose or forget a password. The user password could be cracked. In the alternative, there is only one face like the user, except in the case of a maternal twin, there is a single “form” of data. As a further benefit, this does take less time to process.
One area this is being used as a new outlet, is using this for authentication for payments. The vendor predominantly implementing this has been Amazon. The selfie is used to authorize Amazon online purchases. With this technology, the user’s image is used for authentication. This also has been coded to also use motions or gestures for the authentication. With the motion integration, this is beneficial as the person has to show they are a person, and not a picture or other 2D representation. Amazon is confident in this technology’s application to the point they patented it with 20160071111 on March 10, 2016.
Mastercard also plans on implementing a similar protocol. With their version, the users would blink for the online purchases to authorize the payment. Google was testing its own method also. Their product is termed “Hands-Free”. This is intended to allow for persons to pay with their smartphone by simply saying “I’ll pay with Google”. Google reportedly was also going to use facial recognition. This project though had been shuttered.
We certainly live in an interesting time. These advances in technology continue to amaze not only the consumer but the industry. The trajectory of advancements continues to be exponential. This increase in usefulness does come with a price. The progression has not taken the time to explore security or work through most of the use cases. If there were to be a breach and the database with the facial scan data compromised, there would be rather significant issues for multiple parties. This includes not only the entity having to forensically investigate the issue, seek the extent of the data exfiltrated, if it was being actively or passively sold on the dark web, securing the enterprise, and other assorted issues but also for the users.
Their facial recognition data would be compromised. They only have one face. The attackers and unauthorized parties could use this to their benefit for years and years. The users are not able to randomly change their face, bone structure, location of eyes, and nose structure at will, which is used in the computation for the authentication. This is not an isolated topic and has occurred with government entities in the recent past (e.g. OPM).
There would also be difficulties if the person were to be a victim of violence to the face or in a serious car accident. The user would not be able to follow the general process to reset their password. There would need to be many more steps involved with this instance with other departments to validate the issues leading up to this.
Apple recently experienced issues with facial recognition applications. Although this technology is advanced, it is not perfected. In this case with the new iPhone, there is the opportunity to use facial recognition to unlock the phone. With a quick smile, the user can be calling or connecting with the internet. There has however been at least one instance recorded where a mother unlocked her iPhone X, relocked it, and handed the phone to her child, who was likewise able to unlock the phone.
These advances are a natural progression of our society and efforts. These and other advances should be placed in use. These should, however, be tempered with security and full testing procedures.
About the Author
DRP began coding in the 1980s. Presently DRP is a Cybersecurity Lab Engineer at a Tier One supplier to the automobile industry. DRP is presently completing the PhD (Information Assurance and Security) with completing the dissertation. DRP’s interests include cryptography, SCADA, and securing communication channels. He has presented at regional InfoSec conferences.