Slashdot Mirror
Amazon Wants To Replace Passwords With Selfies and Videos (thestack.com)
An anonymous reader writes: Amazon has filed a patent application for a technology which would allow consumers to authenticate transactions via selfie or video. As part of the verification process, the computer or mobile device will prompt the user to 'perform certain actions, motions or gestures, such as to smile, blink, or tilt his or her head.' Amazon claims that the introduction of facial recognition technology will make transactions more user friendly and secure than conventional identification methods, such as passwords which can be stolen and hacked.
As if Amazon isn't bad enough, now it's just downright creepy.
"If any question why we died, Tell them because our fathers lied."
You'd think with a company as big as Amazon they would this is a really easily exploitable type of authentication
there aren't any pictures of me on the internet.
Oh.
Sounds like a really small keyspace. I'll keep my Keepass managed 64 randomized passwords, thanks.
Especially as I'm going through orders printing dozens of invoices and being forced to login again every few minutes.
In addition to facial recognition, this system will be able to learn your natural movements, so even if you somehow obscure your face from the orwellian cameras, your natural body movements will still give you away.
I, for one, will refuse to participate in this system, and if Amazon wishes to mandate it, then I will never use them again.
Think of it more as Amazon trying to encourage the development of automated photo morphing technology. In a decade, we may have some awesome algorithms to obviate those photo editor people... what's the word... Photographers.
Only if I can use a picture of my actual asshole.
Then you're going to have a problem when the computer tells you to tilt your head.
You are not alone. This is not normal. None of this is normal.
I'm not too optimistic about systems like this. Sure, passwords can be stolen, but if you're careful they can be kept secret, and they can be changed if need be. But my face? If someone gets their hands on a suitable picture or video of me (really not hard to get a photo or video of the average person) and can use that, I'm shit outta luck. And on the other hand, I'm also concerned that an automated system could decide that I don't look like me; the state of my beard at the time or whatever throwing it off.
So in short, interesting idea, but probably not all that practical.
Is facial recognition good enough to detect differences between identical twins 100% of the time? Or are twins the next group to be left out in the cold by a technological advancement.
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
Presumably it won't work because it couldn't perform whatever action was demanded for authentication. So you'd need a 3D model to map it on, and a library of potential actions for it to perform.
Who ordered that?
Allegedly for help with the troublesome task of entering passwords from a mobile device, this co-opting of the device's camera function is a bit too Orwellian.
And if I get to where I can't use a mobile phone keyboard, I will use a tablet or just wait till I get my ass home.
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
Great, catfishing is already popular, so someone had to come up with a form of security easily thwarted by it?
Inheritance is the sincerest form of nepotism.
And what happens if your face in damaged in accident, or you have a stroke, or you die? How do you/your caregivers/the executor of your will, etc get access to information on your phone/computer if it is well protected? Heck, how do you call 911 in an emergency, if your phone decides that you aren't an authorized user? I suspect that digital secrecy and easily accessible encryption may introduce a plethora of problems that no one is paying much attention to.
"Siri. There's a manic with an axe breaking down my door. Call the police."
"I'm sorry 'Dave' or whoever you think you are. I don't think I can do that without your passphrase and an image. Turn up the lights and try again."
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
Wait:
"The entry of these passwords on portable devices is not user friendly in many cases, as the small touchscreen or keyboard elements can be difficult to accurately select, "
You mean to say things are not easy to do on mobile device??? About fucking time someone said this. OF COURSE IT'S NOT EASIER...it never was - never stopped you from pushing people to do all things mobile.
Again, it's about the mobile device not the computer. Never had a fucking problem ordering via a computer. Fuck Off Amazon.
If you want to buy something put a shoe on your head!
Seven puppies were harmed during the making of this post.
& my desktop doesnt have a camera.
So, no more amazon for me then i guess?
You can dial 911 from the lock screen.
I'm going to have a problem when Amazon finds out I don't have (nor want) a webcam.
Seven puppies were harmed during the making of this post.
For that will sure cause MADNESS!
VOTE TRUMP 2016
Are they crazy? Put user biometric data into companies hands (so it can be stolen like everything else) - and of course you can't change it once its been compromised - which will happen, then you're stuck (not the company that lost it of course...they'll give you a year of credit monitoring). As others have pointed out giving companies access to your biometric data, camera and microphone on your access device is wrong on a bunch of other levels (privacy, govt access via that company etc.). No fffing way.
(r)evolution is their advocation?.. long delayed moms of the nile conference seeking fruition... see you there//// little miss dna cannot be wrong...
Imbeciles.
Ah the joys of 'security'.
I'm waiting until we finally get the 'If a 4 digit pin is secure enough for your bank, why not for us too?'. We don't need this kind of thing and we are going about it all wrong. Security shouldn't be easy, it should be hidden. Hell, if Amazon are good enough to predict what I'm going to buy, surely they know something is wrong them moment I start buying loads of something unexpected, and then try and ship it to somewhere I don't even live?
Nothing is wrong with a good password, and this is just going to stop people using one instead.
- http://www.milkme.co.uk
I expect that people will make such a thing. Might not even need to be as sophisticated as a 3D model.
I have got some awesome ideias to user authentication, Amazon should HIRE me.
Yep. Calls to emergency services are always able to be made, regardless if the phone is locked, or even has a SIM card in it at all.
the world over suddenly get their accounts hacked...
All this nonsense and they don't even use two factor authentication like say the Yubikey.
So all I have to do is obtain somebody elses video and/or selfie in order to to forge the bio data that is extracted from it.
Biometrics are not more secure, they are LESS secure. Fingerprints for example, If somebody gets your password, all you have to do is change the password; but if somebody gets your fingerprint, you can't change that; all you can do is turn off the fingerprint authentication. The same is true with retina scans, facial recognition points and even DNA.
Passwords may result in bad habits, but it's still the best way among those methods.
Biometric data can also be stolen or hacked. The difference is that I can change my password in a matter of seconds. My biometric data, if stolen, is compromised for my entire life.
That being said, I don't mind the finger print scanner on the iPhone and Nexus phones, because they're kept entirely local and the whole system locks down if the biometric data could be compromised. But what Amazon is proposing is that I send my biometric data across https every single time I want to log in to watch some Prime movies? Hell no.
The 3 factors are
Something you know : Password
Something you have : Key
Something you are : Biometrics
also known as ...
Something you forgot
Something you lost
Something you cease to be
Puteulanus fenestra mortis
"Amazon is pleased to announce the latest in cutting-edge security: Dick Pic Authentication/Tit Pic Authentication (DPA/TPA). To access your account, simply snap a quick shot of your junk/tits!"
People are funny. They sell less secure technologies as more secure. Fingerprint passwords for example: Just grab a coffee mug, or better yet, a paper cup from a user who goes to Starbucks/Second Cup and presto! I have your password. Now we want to use photos? Graphic images or videos that are possibly published on Facebook (or Google+or some other social media). That is even easier to copy. We've all see that voice passwords can be duplicated, especially with snooping devices over cell phones (which we know the police use now). At least with passwords, they are easy to change and require an expert sniffer or getting into someone's head. Not perfect, and yes they are broken, but it take in my observation more work then getting a fingerprint, or better yet a selfie that has been transmitted to friends, family and every server/transmissions repeater point/server farm in between. You can argue passwords travel between servers too, but people send to send their favorite selfie to everyone. In other words, people are far more careless with selfies than passwords (Unless you are one of those in the dark ages still using relative/loved one's name with no numbers). Oh, it would also require us to remove the black tape many of us put over our phones/tablets/laptops to prevent hackers/backdoor users (aka government) from using our phones to invade our privacy. Even more insecurity.
"Imagination is more important than knowledge" - Einstein
... via facial recognition from google image search.
Assuming the server side biometric data doesn't ever get compromised, how the fuck are they going to detect on the - very hackable - client device that the photo or video is live and not downloaded off facebook or youtube?
Seriously, who is the idiot who approved spending money on this patent? Any Amazon shareholder cares to sue him for wasting the company's money?
I apologize for the lack of a signature.
Similar Software was utilized as a Windows 98 add-on. To log in, you had to sit in front of the computer and facial recognition software acted as the password manager.
On a 180 MHz overclocked Compaq desktop, just to let you know how old this 'selfie for a password' idea truly is.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Because they need taking around the back and given a good talking to.......
The fad for having username and password entry on different screens (no more username -tab- password -enter-) is already driving me up the wall, why should I expose a webcam to the jerks too and perform a "funny dance" to get access to my data?
The next thing - "10 weirdest verifications" on the Yahoo home page....
talk about a finite series of combinations...
People already made such a thing - have you seen Avatar or The curious case of Benjamin button
The more anonymous the transaction, the better. The last thing anyone needs is to put more of ourselves "out there" ready for hackers or NSA terrorists to take advantage of.
That is an awesome summary. I just put that in slide set 1 of graduate class materials on developing secure software: http://www.dwheeler.com/secure...
- David A. Wheeler (see my Secure Programming HOWTO)
What about my evil twin?
Will shaving off the goatee be enough?
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
It's a good thing that computers can't make lifelike images and that no pictures of people are on the Internet. Oh, wait, those assumptions might not be true. Look, all authentication systems have weaknesses, but this one seems designed to be trivial to circumvent. Ugh.
- David A. Wheeler (see my Secure Programming HOWTO)
At least with passwords I could use a password manager.
This has two problems:
1) At some point the face is reduced to a set of numbers. Those numbers can be stolen and reproduced just the same as a password.
2) The other way to hack this is at gunpoint.
- For the complete works of Shakespeare: cat
If people become used to this, the candid camera sketches would be unending.
"For verification of identity, please now introduce your pencil in your left nostril".
Rome taught me patience and assiduous application to detail. Virtues which temper the boldness of great, general views.
> How do you/your caregivers/the executor of your will, etc get access
"Hold your dear departed father up straight! Ok, now tilt his head to the left. No! HIS left!"
- For the complete works of Shakespeare: cat
If a password is compromised, it can be changed, and then you're secure again.
If your face is compromised, it cannot be changed.
All eggs in one basket. No wise.
Same problem with fingerprint scanners.
Same problem with using SSN or passport numbers for ID.
And what happens if your face in damaged in accident, or you have a stroke, or you die?
Then, if it was really important, you would have hopefully already set up a way for someone you trust to get your password (which, contrary to the headline, is not being "replaced" in the most literal sense) and then they can get access to your stuff.
I can't help feeling your doom-mongering is a bit like saying, "They want us to start cars with keys? What if I lose my keys?!" We seem to have managed okay with such a system so far.
systemd is Roko's Basilisk.
Face recognition is all fine and well till you grow a beard, or have a stroke.
Have you ever fallen asleep at the keybhanusdiog?
I'm all for better ways to authenticate. Fingerprint, selfies, gestures, code generators...
But why must it always be framed as getting rid of passwords. Why not in addition to? As the old saying goes, good authentication involves 3 things.
Something you know (password)
Something you have (token generator)
Something you are (fingerprint, selfie)
They can play with these in terms of convenience and security, but I hope we never get rid of passwords. Maybe Amazon can use selfies for low value transactions, and then require a password for high value transactions or something like that.
I'm not gonna perform some kind of tricks like a dog to log into any account.
Have gnu, will travel.
...and obtaining a database of such models for various users becomes further motivation to compromise webcams. Way to go Amazon, keeping the cracker economy vibrant.
Someone had to do it.
As an evil twin, I'm very much in favor of this. On the downside, I'll have to shave my goatee...
Redundancy is good And also good.
Well, a way to get users to turn on their cameras... what a great solution to a social engineering problem:
How to get users to turn on webcams to see where they live...
Amazon: Your password for today, is a picture of your tits.
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
When I flare my nostrils my face disappears. So this wouldn't work for me.
MITM attack: relay the commands to the user, relay the video to Amazon, bingo, I'm done.
Replay attack: use an expert program to reconstruct video stream from prior samples.
Prior art from chans: "Put your shoe on your head if not a bot", "Selfie with timestamp, plz"
However, what's really going on is just acclimating more humans to take orders from machines. We already allow machine enforcement of the law via red-light cameras. We're trained to give up control to the more competent parallel parking machine. We have social networks having us identify our friends faces like a mock-line up, and we have ever watching eyes on game consoles that watch our kids in case we ever get out of line...
Hint: Roombas are shitty floor sweepers. They are excellent at indoctrinating humans to let autonomous robots crawl along the floor with their beloved infants and pets.
Back in the day, when my Father was selling the first televisions, there was the story of the lady who would get dressed up every week and clean the living room before watching Milton Berle. Because she didn't want him to see her in her robe. They had to explain to her that it didn't work that way.
Not all devices have cameras
'perform certain actions, motions or gestures, such as to smile, blink, or tilt his or her head.'
No way a video of that could ever be faked!
It would be totally impossible to capture or intercept the video of a legit transaction and then play it back, that could just never, ever happen!
And with the advanced video tools on the market, it would also be utterly impossible to take some innocuous pre-existing video and modify it. Anyone who's ever uploaded more than a few seconds of video of themselves to Youtube doing anything is now at risk of being spoofed.
Seriously, it's like Amazon is searching for novel ways to make transactions less secure.
Why not just restrict all passwords to, oh I dunno, a maximum of 2 even numbers and be done with it?
Just cruising through this digital world at 33 1/3 rpm...
> How do you/your caregivers/the executor of your will, etc get access
"Hold your dear departed father up straight! Ok, now tilt his head to the left. No! HIS left!"
Yes. Those guys would have had so much more fun with access to Bernie's Amazon account.
It must have been something you assimilated. . . .
This sounds exactly what 4chan users on /b/ have been using for identifying if OP is really delivering.
"Shoe on head."
"Sharpie in pooper."
--
BMO
Security Theater!
Suddenly, remote web cam hacks potentially became more profitable
As someone with Parkinsons that already has enough problems using modern phones since they all want to do guestures and hover crap, and it has to be turned off per-app, can't be globally (at least, on android), how about a big fark you. I don't need someone telling me my smile isn't an adequate smile at 2am, just because I can't really control my face.
"Siri. There's a manic with an axe breaking down my door. Call the police."
Did you miss the news story just within the last couple days about how terrible voice assistants are at stuff like that?
For people who aren't camwhore narcissists?
I had a similar idea for but for Git. I asked one of the SW guys to write a Microsoft Kinect interface for Git. I'd use a middle finger going side to side to commit and thrusting the middle finger up and down would be a push. Now, two double fingers moving rapidly but in any direction would be a merge (because that's what everyone does when that tool merges any file). A shaking fist would be a pull (normally after a merge following the deletion of the merged file).
...for backward compatibility the password login is always there.
Good, you have introduced a new point of failure without eliminating the old one.
I am not going to use biometrics to authenticate shit
You can only get your biometrics stolen ONCE, after that big effing luck changing your eye signature or your fingerprints
You have littered the whole internet with your facebook and instagram pictures in a while variety of pictures
Media ppl specially, there are thousands of hours of high resolution video of your face in a wide variety of poses, you are soooooooo screwed
Lazy ppl unwilling to remember passwords are going to be the end of us
Just send them rfid/usb Tokens that generate hashes with a secret seed or that stores a long table with random values loaded by Amazon themselves, stop it with the biometrics nonsense
1 get photos of person. 2 use photos to create a skin for a Hi rez CG animation program 3.use CG animation program to trick authentication software. 4.Profit!
Getting a BOT to do things upon command is easy. There is going to be a limited number of things that can/will be asked for, these can be pre filmed/rendered in advance. If they do come up with a new required antic - then you don't get to login; is that a problem? Breaking 10% of accounts mechanically still gets you into lots of accounts.
10 years ago The Subservient Chicken was doing this. It was bought by Burger King .... now all that remains is an inane video.
Except that it's more like replacing a secure mechanism with a less secure one that's more convenient. The problem they're trying to solve is to make it easier to get a low level of security for people who think passwords are too confusing.
It might require a little bit of sophistication to create the software that would make an image respond to the requested gesture, but this would pave the way for credentials to be stolen (permanently) by just taking a picture of a person.
Somehow I don't think this is a good idea.