For
well over a decade there has been talk of the demise of the password.
There have been multiple people in the industry who have claimed the
password’s time is limited for years. Initially the password had a
vital role of securing access to various files, the user’s email
account, etc. Without this, any number of people would have access to
the data and information that in theory should have been private and
confidential. Initially, the password’s composition convention was
relative basic. This was basic and not very robust or creative. As
time passed and the attacker’s realized this, the systems began to
add complexity to the password’s format. This necessity was driven
by the potential issues. This addition assisted with mitigating the
risk of the access being compromised. As a bi-product or secondary
effect, this also increased the amount of time required for a
successful brute force attack.
As
the password became more complex, the attackers have adjusted their
methods to compensate for this. This cyclical relationship will
continue. As this has been a relatively short-term fix, a new logging
method has been in process. There have been many options researched,
developed, and putin full and limited use. These have included
retinal and iris scans, blood vessel locations in the hand and face,
and various other methodologies. These have been met with various
levels of success with the various uses. One of these authentication
methods gaining more attention within the last year has been facial
recognition.
Early
On
The
facial recognition software initially implemented algorithms which
were rudimentary. These used non-advanced geometric models. These
worked within the system to note the location of certain facial
features from photographs or other data source. These could focus on
the eyes, ears, nose, and mouth location. From the initial data
points, the algorithm calculated the distances and subsequent ratios.
Naturally over time, this function evolved and improved. These now
use mathematical representations and matching processes.
Updated
Uses
Initially,
this was implemented for user validation and authentication. In most
instances, this did work relatively well in most instances. In
theory, this new and expanded application is safer than passwords.
This is a step to address the need for improved security. The user is
able to lose or forget a password. The user password could be
cracked. In the alternative, there is only one face like the user,
except in the case of a maternal twin, there is a single “form”
of data. As a further benefit, this does take less time to process.
One
area this is being used as a new outlet, is using this for
authentication for payments. The vendor predominantly implementing
this has been Amazon. The selfie is used to authorize the Amazon
online purchases. With this technology, the user’s image is used
for the authentication. This also has been coded to also use motions
or gestures for the authentication. With the motion integration, this
is beneficial as the person has to show they are a person, and not a
picture or other 2D representation. Amazon is confident in this
technology’s application to the point they patented it with
20160071111 on March 10, 2016.
Mastercard
also plans on implementing a similar protocol. With their version,
the users would blink for the online purchases to authorize the
payment. Google was testing their own method also. Their product is
termed “Hands Free”. This is intended to allow for persons to pay
with their smart phone by simply saying “I’ll pay with Google”.
Google reportedly was also going to use facial recognition. This
project though had been shuttered.
Issues
We
certainly live in an interesting time. These advances in technology
continues to amaze not only the consumer, but the industry. The
trajectory of advancements continues to be exponential. This increase
in usefulness does come with a price. The progression has not taken
the time to explore security or work through most of the use cases.
If there were to be a breach and the database with the facial scan
data compromised, there would be rather significant issues for
multiple parties. This includes not only the entity having to
forensically investigate the issue, seek the extent of the data
exfiltrated, if it was being actively or passively sold on the dark
web, securing the enterprise, and other assorted issues, but also for
the users. Their facial recognition data would be compromised. They
only have one face. The attackers and unauthorized parties could use
this to their benefit for years and years. The users are not able to
randomly change their face, bone structure, location of eyes, and
nose structure at will, which are used in the computation for the
authentication. This is not an isolated topic, and has occurred with
government entities in the recent past (e.g. OPM).
There
would also be difficulties if the person were to be a victim of
violence to the face or in a serious car accident. The user would not
be able to follow the general process to reset their password. There
would need to be many more steps involved with this instance with
other departments to validate the issues leading up to this.
Apple
recently experienced issues with the facial recognition applications.
Although this technology is advanced, it is not perfected. In this
case with the new iPhone, there is the opportunity to use facial
recognition to unlock the phone. With a quick smile, the user can be
calling or connecting with the internet. There have however been at
least one instance recorded where a mother unlocked her iPhone X,
relocked it, and handed the phone to her child, who was likewise able
to unlock the phone.
These
advances are a natural progression of our society and efforts. These
and other advances should be placed in use. These should however be
tempered with security and full testing procedures.
No comments:
Post a Comment