Slashdot Mirror
Using Face Recognition Instead of a PIN Number
coondoggie writes "Face recognition as a unique biometric is growing slowly in certain corporate and consumer applications, but researchers at the University of Houston (UH) are trying to make the technology far more ubiquitous and secure: they want it to replace the dozens of personal identification numbers (PIN), passwords and credit card numbers everyone uses every day.
University researchers developed the URxD face recognition software that uses a three-dimensional snapshot of a person's face to create a unique biometric identifier."
This is stupid for a couple of reasons. The first is that biometrics suck and are usually almost trivial to subvert. See the $10 fake finger, for an example. What do you do if somebody hacks your credentials as well? Have facial re-constructive surgery? But even if you had very good biometrics that were hard to fake, it still less secure than having separate credentials to access everything.
Why is this? Well for the sake of argument, let's suppose it costs £50 to create a duplicate of my chip and pin card that will work in any cash point. I have four such cards in my wallet so the cost of duplicating them all is £200. In order for the biometric to replace my cards completely and be equally secure, it has to cost more than £200 to fake.
The problem is that the unified security mechanism rarely costs more to subvert then all the IDs it replaced. This doesn't just apply to bank-cards it also applies to national ID cards and any centralisation of security.
The fundamental principle here is that centralising security often reduces security. This is something to keep in mind when you're consolidating servers.
Simon
Its an interesting concept. I will agree with that.
Essentially, it uses your face to access your information in a database, which could include bank, credit card, medical, or pretty much anything else desired.
However, all a person then needs to commit fraud is to capture these scans and feed it back to the software...
Ill keep my zero liability credit cards and my 4 and 6 digit pin numbers thank you.
If sharing a song makes you a pirate, what do I have to share to be a ninja?
Minimum requirements such as character types and length are there to force complexity(to a certain degree). It has nothing to do with how the program is coded.
Also, if you allowed 50 character passwords, I would imagine you password reset/failure support calls/tickets would rise considerably because people forget them.
If sharing a song makes you a pirate, what do I have to share to be a ninja?
I disagree, I think "welcome to the real world" is easier to remember than "mypasswrd1". sentences evoke memories, visual and auditory, which random lumps of characters or artificially squashed single words do not.
DRM-free indie games for the PC and Mac: Positech Games
these guys didn't watch "Mission: impossible"?
Instead of using something that's secret and can be changed, they want to start using something that everyone can see, and is not changeable.
- You have to consciously enter a PIN to give it away - unless you're fooled by a complete rebuild of an ATM, you're not likely to enter this particular number anywhere else; but you show your face to everyone in the street, making it trivial to get several photographs of it and even do a 3D reconstruction if desired.
- You can enter a number at a keypad even if severely impaired and under pretty unfriendly conditions (outside ATM in heavy rain, when you're wearing gloves and are a little under the effect of both a cold and cold medicine, say). It's a pretty fool-proof, accessible way of entering a small amount of data. Facial recognition, on the other hand, requires - unless there have been vast advances - very good lighting, a clear image of the face not obscured by sunglasses, intensive make-up or bruises, and no vast changes in hair style or beard growth.
- Image recognition is cost intensive, energy intensive and computationally expensive; a keypad of the highest level, secure and proof against vandalism will cost what? A couple of hundred bucks at most? To get facial recognition you need light sources that don't interfere with the cameras, the cameras themselves, complex software behind them and - also very important - you need large amounts of data on the facial features. Granted, it might be easy to compress them to a couple of hundred kb's if you're willing to sacrifice some accuracy, but compare that with the four or five byte you need to store a PIN!
- Problem of false negatives and false positives: when I enter a PIN I can usually get it right on the first try; I usually only run into problems when I confuse it with the PIN from another card. Entering it wrongly has happened maybe once or twice in my life, as far as I remember. Now, what are the chances that the facial recognition software will correctly identify me 99.99999% of the time? And how big is the risk that it might mistake another person for me?
- Another thing: right now I can hand my credit card to my brother, tell him to pick me up a little cash from an ATM and give him my PIN and card. Will there be provisions made for you to authorize other people, like your spouse? How many? For how long?
I think it's strange that so many people seem to think just because something is newer it is automatically better than the old technology / method / tool. Don't get me wrong, I love progress - but increasing the failure points of a known and working (if not perfect) system seems like a strange idea to me...-- Language is a virus from outer space.
8 of 13 people found this answer helpful. Did you?
I guess you'd have to have your biometrics updated every few years as you age. More often if you smoke, drink heavily, sun bath, etc... those things age you faster.
I prefer Flambe as apposed flamebait.
But a PIN is only compatible with an ATM. You need a PIN number in order to use an ATM machine.
The first is that biometrics suck and are usually almost trivial to subvert.
Okay sure, spend $50 on some sensor or $150 on sensor+lock and it will accept a fake finger. But that's not your average biometric installation.
What do you do if somebody hacks your credentials as well?
If the bad guy wants in, he won't try to reproduce your *face* to get in. This is just absurd.
The problem is that the unified security mechanism rarely costs more to subvert then all the IDs it replaced.
Except biometric installations aren't replacing many access control mechanisms with one. This just isn't happening right now. Later on when stupid people implement biometric authentication, it probably will. They'll probably buy the $50 biometric device too. **Good** biometric systems are expensive and the people paying for them want the best and they normally get it.
The fundamental principle here is that centralising security often reduces security.
As stated before, this is not what's happening in biometric installations. Yes, it's quite true with servers. But biometric installations and servers are not comparable.
Finally, biometrics is an excellent solution to some problems. As the technology continues to improve, it will only get better.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html