Selfie Password Concerns
MasterCard has initiated an unprecedented program to enhance the security of online purchases by using selfies as passwords. Amazon is also considering implementing this feature. It seems that this idea won't take long to become a trend after being adopted by such giants. Therefore, I have taken the time to discuss the good, bad, and ugly sides of it. While the good and bad aspects may be easy to guess, you may not be aware of how ugly it can become.
Good
- You are already familiar with it:
- There is no need to educate people on how to take selfies. In this era, most individuals have already taken at least one selfie.
- No need to remember:
- There won't be a need to write down your password on a post-it or visit a 'recover my selfie' page.
- Inherently "strong":
- Many people still use weak passwords like '123456,' but selfies are inherently strong as they contain all your facial traces, making them unique.
- Ubiquity of cell phones:
- Most people own a cell phone, and some even own more than one, as prices have become very affordable for these devices.
Bad
- Face recognition is not a solved problem:
- While it may work well in many cases, it is not foolproof. Many issues have been detected, such as this one and this one.
- This article highlights many tips that you should follow if you want your selfie to be recognized; otherwise, the software may fail to detect your identity.
- Possibly slower process:
- If you're using a desktop or a password manager, taking a selfie may slow you down. Even if only by a few seconds, it affects the user experience. You can make an analogy by comparing it to voice messages on WhatsApp. Although practical, it comes with a speed trade-off compared to typing.
- Excessive trust in devices:
- Suppose we're talking about an Android mobile phone, for example. The mobile application must access the camera to take the selfie, right? Now imagine a scenario where the camera is tainted, and instead of sending the app the photo just taken (selfie), it sends an already saved image to the app. Let's say this already saved image is a selfie of someone else, let's call him John. Will the server consider the "selfie" it received as John's selfie? Yes, that would be a "Selfie Hijacking." This highlights the risk of placing too much trust in devices.
- "Selfie Captcha": To prevent such attacks, I came up with the idea of a 'selfie captcha,' where you would have to make a certain pose when taking the selfie, such as blinking one eye and showing two fingers of your left hand. The more combinations, the more secure it would be. Although it might seem awkward and could be exploited if the attacker knows the challenge and has Adobe Photoshop skills, it's an interesting concept for a penetration tester, don't you think?
- Cross-device validation: Implementing cross-validation using Internet of Things (IoT) devices to check for heart rate, pressure, etc., may be impractical for the masses. Thus, the best option would be to use selfies as an additional factor, without removing passwords.
- Selfie from Photo: Another type of attack that may emerge is simply printing a selfie of someone else, e.g., John, and holding it in front of the camera. This attack is much easier to perform and doesn't require any changes to the device, such as jailbreaking.
- Selfie Man-In-The-Middle (MITM): Unbelievable but true. Check out the project Face2Face: Real-time Face Capture and Reenactment of RGB Videos.
- You can't revoke your face:
- If someone hijacks your selfie, it would be complicated to change your face to protect your account. That's another reason not to rely solely on selfies.
Ugly (hint: it's all about Privacy)
- Taking selfies in certain places may not be comfortable:
- What about making a purchase from your bathroom while doing your business? That won't be very comfortable anymore, if it ever was. It's already inconvenient to play WhatsApp voice messages as you don't know what the other person will say. Taking a picture is equally as bad.
- Sharing much more data:
- Kangairo! Your face isn't the only thing in a photo. You'll be sharing the faces of people around you, your location, objects around you, what you are wearing, and whatever can be found in your selfie. So what? You may wonder. Let me give you some ideas about what Amazon or any other company could do:
- Suggest new products: By analyzing the objects around you, companies can deduce what you'll need next with great precision. They already have the software for that.
- Map your relationship to people nearby: Suppose your friend appears in your selfie. Later, if this friend of yours makes a purchase on Amazon, his data can be used to suggest products to him based on your purchase.
- Track your location: Perhaps the scariest aspect? Google's PlaNet has the capability to identify the location of any photo without metadata just by analyzing its contents.
- Kangairo! Your face isn't the only thing in a photo. You'll be sharing the faces of people around you, your location, objects around you, what you are wearing, and whatever can be found in your selfie. So what? You may wonder. Let me give you some ideas about what Amazon or any other company could do:
Conclusion
Biometrics have led the world to convenience, which often conflicts with security. However, it seems they are here to stay, starting with iPhone's fingerprinting and now selfies (although I know, there are already many attacks out there regarding fingerprinting. Chaos Computer Club has proven that to the world).
Selfies are a positive step in increasing security for the masses, but relying solely on them would be reckless given the arguments above. Using them as an additional step would be good, although privacy concerns should not be overlooked. Users must know what is happening behind the scenes before using this technology. Companies should not hide what will happen to user data solely in the privacy terms. It is not an effective way to educate users. Let's see what the future holds.
That's it for today. Thank you for reading.
