Amazon Wants To Replace Passwords With Selfies and Videos

An anonymous reader writes: Amazon has filed a patent application for a technology which would allow consumers to authenticate transactions via selfie or video. As part of the verification process, the computer or mobile device will prompt the user to 'perform certain actions, motions or gestures, such as to smile, blink, or tilt his or her head.' Amazon claims that the introduction of facial recognition technology will make transactions more user friendly and secure than conventional identification methods, such as passwords which can be stolen and hacked.

Laugh

[koan]

As if Amazon isn't bad enough, now it's just downright creepy.

Re:Laugh

[tiberus]

'perform certain actions, motions or gestures, such as to smile, blink, or tilt his or her head.'

As if Amazon isn't bad enough, now it's just downright creepy.'

Creepy isn't quite the word that comes to mind, more like pervy.
Just what "certain actions, motions or gestures" we talkin' 'bout here? Just wanna know if I'm gonna have to clean up afterward...

Re:Laugh

[crunchy_one]

My gesture to Amazon: Middle finger up.

Re:Laugh

[rmdingler]

"I'm sorry Mr. One. That password is already in use.

Please choose again. Suggestion: middle finger up with the pinkie of your left hand inside your right ear."

You just tried it to see if your pinkie would reach, didn't you?

Re:Laugh

[sootman]

Well-endowed girls everywhere will be complaining, "Why does Amazon always want me to jump up and down?!?"

Re:Laugh

[Darinbob]

Amazon says, "give us a twirl, love."

Re:Literal Morons

[th3dutchman]

*They would know

Re:Photo in front of the camera

[bytestorm]

Think of it more as Amazon trying to encourage the development of automated photo morphing technology. In a decade, we may have some awesome algorithms to obviate those photo editor people... what's the word... Photographers.

Re:Photo in front of the camera

[squiggleslash]

Then you're going to have a problem when the computer tells you to tilt your head.

Can we stick with passwords?

[YukariHirai]

I'm not too optimistic about systems like this. Sure, passwords can be stolen, but if you're careful they can be kept secret, and they can be changed if need be. But my face? If someone gets their hands on a suitable picture or video of me (really not hard to get a photo or video of the average person) and can use that, I'm shit outta luck. And on the other hand, I'm also concerned that an automated system could decide that I don't look like me; the state of my beard at the time or whatever throwing it off.

So in short, interesting idea, but probably not all that practical.

Re:Can we stick with passwords?

[SIGBUS]

And then there's fingerprints. Nothing like a "password" that gets printed onto almost anything you touch!

Re:Can we stick with passwords?

[Max_W]

...But my face? If someone gets their hands on a suitable picture or video of me (really not hard to get a photo or video of the average person) and can use that, I'm shit outta luck. ...

A Niqb could be a solution, at least for women: https://en.wikipedia.org/wiki/...

Re:Can we stick with passwords?

[Jason+Levine]

If someone gets their hands on a suitable picture or video of me (really not hard to get a photo or video of the average person) and can use that, I'm shit outta luck.

Exactly this. We keep telling everyone not to share their passwords. What's one of the big things people love sharing? Photos of themselves! When you make someone's face their password, you've just turned every selfie they've ever sent into a shared password. How long would it take to compile those "password shares" into something that could fool Amazon's system?

I recently tried an app MSQRD which maps someone else's face onto yours. It works surprisingly well: changing your face into a gorilla or Tony Stark or Barack Obama. You can move your mouth, tilt your head, etc and it keeps working. Now imagine if someone were to make something like that but using all those selfies that someone posted and using the result to fool Amazon's app into thinking that's what you really looked like.

Passwords have their flaws, but those can be mitigated by additional layers of security (e.g. two factor authentication). Facial recognition is one of those things that sounds good in theory, but falls apart on closer observation.

Re:Can we stick with passwords?

[castionsosa]

Daybreak (formerly SOE) had technology in EQ2 and EQ:Next where it would map your facial expressions onto your character's. Called SOEMote, it fell right into the bottom of the uncanny valley, but was an interesting thing to play with.

Re:Can we stick with passwords?

[I4ko]

How about the system recognizes the blood on my face and the knife on my throat or the gun next to my head. Using faces for passwords is as ridiculous as using fingerprints for passwords. Biometrics should only be used for usernames, passwords should be something you know, not something that you are.

Re:Can we stick with passwords?

[YukariHirai]

Using faces for passwords is as ridiculous as using fingerprints for passwords. Biometrics should only be used for usernames, passwords should be something you know, not something that you are.

This is the most sense I've ever heard talked regarding biometrics.

Re:Can we stick with passwords?

[Maxo-Texas]

While I see a host of problems, this isn't a face. This is a video stream of your live face combined with an arbitrary suggested action.

Re:Can we stick with passwords?

[YukariHirai]

And it is not impossible to map an image of someone over a CG model and have it move whatever way you want. It probably wouldn't convince a human that it's the real person, but it wouldn't need to.

Identical twins?

[fluffernutter]

Is facial recognition good enough to detect differences between identical twins 100% of the time? Or are twins the next group to be left out in the cold by a technological advancement.

Re:Identical twins?

[pr0fessor]

My own sister used to have trouble detecting difference between my brother and I and we are not twins. Not so much now that we have very different hair and facial hair styles but friends we haven't seen in a long time sometimes still mistake us for each other.

Re:Identical twins?

[Cro+Magnon]

My GF's sister could probably pass for her if she let her hair grow and colored it. As it is, when she was around people who know my GF, everyone knew she was R's sister before anyone said anything.

Re:Identical twins?

[pr0fessor]

Back in the 90s and even as recent as 2005 my brother and I had the the same hair style and the same style clothes and I would frequently have his friends or co-workers walk up and just start talking. I would and say something like you must know my brother and they would look at me funny and then notice the more subtle stuff like a wedding ring. That didn't actually convince one girl she thought he was a lying cheating bastard until I pointed out that I also have a tattoo and he doesn't.

Re:Photo in front of the camera

[Jamu]

Presumably it won't work because it couldn't perform whatever action was demanded for authentication. So you'd need a 3D model to map it on, and a library of potential actions for it to perform.

Multiyear Prime subscriber here...

[rmdingler]

No. No. Hell no, Amazon.

Allegedly for help with the troublesome task of entering passwords from a mobile device, this co-opting of the device's camera function is a bit too Orwellian.

And if I get to where I can't use a mobile phone keyboard, I will use a tablet or just wait till I get my ass home.

Re:Multiyear Prime subscriber here...

[rmdingler]

I agree with the sentiment of your comment, and I also understand Amazon may choose to trace my review of their proposal to my Slashdot identity.

Their ancillary information bot is like a digital bloodhound, but a flaw in a code remnant (left, I like to believe) by a sympathetic coder will allow my negative/negative/expletive negative preamble to be recorded as three lost Prime memberships during collation efforts.

Re:Multiyear Prime subscriber here...

[houghi]

I agree with you. OTOH they are looking at a solution. The thing with passwords and logins is that we have too many.

'Use porgram X as it is a great password manager' is not always a solution.When I look at the passwords and logins I need to remember, it becomes silly. And no, I am NOT able to install software on all the things I do access sites.

For private use I can, most of the times, select my login. For work? Not so much. At one job I had I had 8 different loginsand 4 passwords I could not change. "But that is unsafe". I know, however that was what it was. Hardly a reason to quit.
Then the stoopid rule of changing the password every 30 days. Not 31, 30. So I started using easier to guess passwords, for obvious reasons.

Then the ones for my private life. I have home, email, bank and a gazillion different websites. Some I do only access once per year.

The whole issue with password security is that everybody only looks at their own website. If you have only one login and password, it all makes sense. If you have 100, it does not.

And I am of the few people who has 5 passwords
1) Super secret for home access and main email. Only three places it is used.
2) Banking, website and DNS related
3) Work
4) Web stores where I order stuff
5) All the rest (e.g. /;)

Now you can call me stupid to not have a separate password for each and every site. You would be right on a technical level. However security is a social issue. What IT people have been looking for is a technical solution for a social problem.
They almost always do not factor in the weakest link and that is the human. Then they blame that human for not adapting to technology.
If a chair is too tall, you do not ask people to change their height, you change the chair. So if password security does not work, do not change the human, change the system. And what I see is that they are at least trying to do that and look in alternative directions.
Will it be a fix for all? Obviously not, but that should not discourage them from looking (and fail a few times) before they get it right.

Re:Multiyear Prime subscriber here...

[DogDude]

"Multiyear Prime subscriber here"

"a bit too Orwellian"

I don't think that you know what "Orwellian" means...

Re:Multiyear Prime subscriber here...

[pla]

Allegedly for help with the troublesome task of entering passwords from a mobile device, this co-opting of the device's camera function is a bit too Orwellian.

Even given how annoying most phones make it to enter non-alphanumeric characters, I can't help but think that I can still enter 8-12 random characters faster than finding a well-lit spot and performing a variety of selfie poses on command ("Sit... Beg... Play dead... Fat-girl pose... Roll over... Good human, here's your account!").

Dear Amazon - I love the convenience your services provide me, but if you ever require the use of this bullshit, I'll drop you faster than a sack of steaming turds.

Re:Multiyear Prime subscriber here...

[war4peace]

What webmasters should do is quit looking at their own website only and implement SSO. OAuth2 or whatever. Some sites already have it, and it works.

Reverse Engineering Social Engineering

[fibonacci8]

Great, catfishing is already popular, so someone had to come up with a form of security easily thwarted by it?

Re:Photo in front of the camera

[vtcodger]

And what happens if your face in damaged in accident, or you have a stroke, or you die? How do you/your caregivers/the executor of your will, etc get access to information on your phone/computer if it is well protected? Heck, how do you call 911 in an emergency, if your phone decides that you aren't an authorized user? I suspect that digital secrecy and easily accessible encryption may introduce a plethora of problems that no one is paying much attention to.

"Siri. There's a manic with an axe breaking down my door. Call the police."

"I'm sorry 'Dave' or whoever you think you are. I don't think I can do that without your passphrase and an image. Turn up the lights and try again."

How the Fuck Does it Make it Easier

[oh_my_080980980]

Wait:

"The entry of these passwords on portable devices is not user friendly in many cases, as the small touchscreen or keyboard elements can be difficult to accurately select, "

You mean to say things are not easy to do on mobile device??? About fucking time someone said this. OF COURSE IT'S NOT EASIER...it never was - never stopped you from pushing people to do all things mobile.

Again, it's about the mobile device not the computer. Never had a fucking problem ordering via a computer. Fuck Off Amazon.

Jeff Bezos says

[Dunbal]

If you want to buy something put a shoe on your head!

Re:Jeff Bezos says

[bigwheel]

"If you want to buy something put a shoe on your head!"

Hold it... Hold it... Now, bark like a dog!

This could be fun!

Re:Photo in front of the camera

[Joe_Dragon]

You can dial 911 from the lock screen.

Re:Photo in front of the camera

[Dunbal]

I'm going to have a problem when Amazon finds out I don't have (nor want) a webcam.

Trust companies to secure Biometrics?

[sasparillascott]

Are they crazy? Put user biometric data into companies hands (so it can be stolen like everything else) - and of course you can't change it once its been compromised - which will happen, then you're stuck (not the company that lost it of course...they'll give you a year of credit monitoring). As others have pointed out giving companies access to your biometric data, camera and microphone on your access device is wrong on a bunch of other levels (privacy, govt access via that company etc.). No fffing way.

'Secure' in the same way a 4 digit pin is....

[djsmiley]

Ah the joys of 'security'.

I'm waiting until we finally get the 'If a 4 digit pin is secure enough for your bank, why not for us too?'. We don't need this kind of thing and we are going about it all wrong. Security shouldn't be easy, it should be hidden. Hell, if Amazon are good enough to predict what I'm going to buy, surely they know something is wrong them moment I start buying loads of something unexpected, and then try and ship it to somewhere I don't even live?

Nothing is wrong with a good password, and this is just going to stop people using one instead.

Re:'Secure' in the same way a 4 digit pin is....

[Jason+Levine]

I believe they already do something like this. If you are making a purchase that Amazon deems suspect (mainly, in my experience, due to shipping orders to someplace new), you need to enter in your full credit card information again and not just use the stored card number. It can be annoying sometimes when it happens, but I still like the feature. I'd rather be annoyed every so often than log on one day to find out that "I" maxed out my credit card buying electronics and having them sent to some address I've never seen before.

Re:'Secure' in the same way a 4 digit pin is....

[pr0fessor]

I go back and delete my method of payment from accounts like that since I don't order on line constantly, new egg maybe once a year, amazon maybe 3 or 4 times, walmart a couple times. Get into my the account for my gas, water, trash, power bill on the other hand....

Re:'Secure' in the same way a 4 digit pin is....

[Darinbob]

Allowing a company to store your credit card details is already a very bad idea. It's convenient though. But security and convenience do not coexist peacefully.

Re:Photo in front of the camera

[YukariHirai]

I expect that people will make such a thing. Might not even need to be as sophisticated as a 3D model.

Re:Photo in front of the camera

[YukariHirai]

Yep. Calls to emergency services are always able to be made, regardless if the phone is locked, or even has a SIM card in it at all.

"passwords which can be stolen and hacked"

[LichtSpektren]

Biometric data can also be stolen or hacked. The difference is that I can change my password in a matter of seconds. My biometric data, if stolen, is compromised for my entire life.

That being said, I don't mind the finger print scanner on the iPhone and Nexus phones, because they're kept entirely local and the whole system locks down if the biometric data could be compromised. But what Amazon is proposing is that I send my biometric data across https every single time I want to log in to watch some Prime movies? Hell no.

Security

[JasterBobaMereel]

The 3 factors are
Something you know : Password
Something you have : Key
Something you are : Biometrics

also known as
Something you forgot
Something you lost
Something you cease to be ...

Re:Security

[Darinbob]

Banks add a other element. Bank debit card, plus PIN, plus promise to reimburse you if you can it wasn't you who took out the money. That is, it's cheaper for them to reimburse than to implement better security.

DPA/TPA

[wardrich86]

"Amazon is pleased to announce the latest in cutting-edge security: Dick Pic Authentication/Tit Pic Authentication (DPA/TPA). To access your account, simply snap a quick shot of your junk/tits!"

Uh, less secure than passwords

[evolutionary]

People are funny. They sell less secure technologies as more secure. Fingerprint passwords for example: Just grab a coffee mug, or better yet, a paper cup from a user who goes to Starbucks/Second Cup and presto! I have your password. Now we want to use photos? Graphic images or videos that are possibly published on Facebook (or Google+or some other social media). That is even easier to copy. We've all see that voice passwords can be duplicated, especially with snooping devices over cell phones (which we know the police use now). At least with passwords, they are easy to change and require an expert sniffer or getting into someone's head. Not perfect, and yes they are broken, but it take in my observation more work then getting a fingerprint, or better yet a selfie that has been transmitted to friends, family and every server/transmissions repeater point/server farm in between. You can argue passwords travel between servers too, but people send to send their favorite selfie to everyone. In other words, people are far more careless with selfies than passwords (Unless you are one of those in the dark ages still using relative/loved one's name with no numbers). Oh, it would also require us to remove the black tape many of us put over our phones/tablets/laptops to prevent hackers/backdoor users (aka government) from using our phones to invade our privacy. Even more insecurity.

Shopping spree time

[Torp]

... via facial recognition from google image search.
Assuming the server side biometric data doesn't ever get compromised, how the fuck are they going to detect on the - very hackable - client device that the photo or video is live and not downloaded off facebook or youtube?

Seriously, who is the idiot who approved spending money on this patent? Any Amazon shareholder cares to sue him for wasting the company's money?

Re:Yeah that sounds convenient

[kammermusik]

Positive side effect: you're getting excercise that way.

This is not new/prior art

[Khyber]

Similar Software was utilized as a Windows 98 add-on. To log in, you had to sit in front of the computer and facial recognition software acted as the password manager.

On a 180 MHz overclocked Compaq desktop, just to let you know how old this 'selfie for a password' idea truly is.

Re:Photo in front of the camera

[I4ko]

People already made such a thing - have you seen Avatar or The curious case of Benjamin button

Screw that noise

[fishscene]

The more anonymous the transaction, the better. The last thing anyone needs is to put more of ourselves "out there" ready for hackers or NSA terrorists to take advantage of.

That is an awesome summary

[dwheeler]

That is an awesome summary. I just put that in slide set 1 of graduate class materials on developing secure software: http://www.dwheeler.com/secure...

Alternate universe

[mwvdlee]

What about my evil twin?
Will shaving off the goatee be enough?

Good thing computers can't do that?

[dwheeler]

It's a good thing that computers can't make lifelike images and that no pictures of people are on the Internet. Oh, wait, those assumptions might not be true. Look, all authentication systems have weaknesses, but this one seems designed to be trivial to circumvent. Ugh.

The problem with this

[hoggoth]

This has two problems:

1) At some point the face is reduced to a set of numbers. Those numbers can be stolen and reproduced just the same as a password.
2) The other way to hack this is at gunpoint.

Just think of the possibilities

[OpenSourced]

If people become used to this, the candid camera sketches would be unending.

"For verification of identity, please now introduce your pencil in your left nostril".

Re:Photo in front of the camera

[hoggoth]

> How do you/your caregivers/the executor of your will, etc get access

"Hold your dear departed father up straight! Ok, now tilt his head to the left. No! HIS left!"

Re:Photo in front of the camera

[wonkey_monkey]

And what happens if your face in damaged in accident, or you have a stroke, or you die?

Then, if it was really important, you would have hopefully already set up a way for someone you trust to get your password (which, contrary to the headline, is not being "replaced" in the most literal sense) and then they can get access to your stuff.

I can't help feeling your doom-mongering is a bit like saying, "They want us to start cars with keys? What if I lose my keys?!" We seem to have managed okay with such a system so far.

Flawed

[wkwilley2]

Face recognition is all fine and well till you grow a beard, or have a stroke.

Why is it always replace?

[scamper_22]

I'm all for better ways to authenticate. Fingerprint, selfies, gestures, code generators...

But why must it always be framed as getting rid of passwords. Why not in addition to? As the old saying goes, good authentication involves 3 things.

Something you know (password)
Something you have (token generator)
Something you are (fingerprint, selfie)

They can play with these in terms of convenience and security, but I hope we never get rid of passwords. Maybe Amazon can use selfies for low value transactions, and then require a password for high value transactions or something like that.

This explains ...

[PPH]

... why the password prompt was changed to "Tits or GTFO!"

Re:Photo in front of the camera

[skids]

...and obtaining a database of such models for various users becomes further motivation to compromise webcams. Way to go Amazon, keeping the cracker economy vibrant.

Re:Photo in front of the camera

[MrNiceguy_KS]

As an evil twin, I'm very much in favor of this. On the downside, I'll have to shave my goatee...

Tits

[penguinoid]

Amazon: Your password for today, is a picture of your tits.

Re:Tits

[edtice1559]

How can I attach the photo to my /. post?

Is it April 1 already?

[rossdee]

Not all devices have cameras

What the

[JustAnotherOldGuy]

'perform certain actions, motions or gestures, such as to smile, blink, or tilt his or her head.'

No way a video of that could ever be faked!

It would be totally impossible to capture or intercept the video of a legit transaction and then play it back, that could just never, ever happen!

And with the advanced video tools on the market, it would also be utterly impossible to take some innocuous pre-existing video and modify it. Anyone who's ever uploaded more than a few seconds of video of themselves to Youtube doing anything is now at risk of being spoofed.

Seriously, it's like Amazon is searching for novel ways to make transactions less secure.

Why not just restrict all passwords to, oh I dunno, a maximum of 2 even numbers and be done with it?

Re:Photo in front of the camera

[fahrbot-bot]

> How do you/your caregivers/the executor of your will, etc get access

"Hold your dear departed father up straight! Ok, now tilt his head to the left. No! HIS left!"

Yes. Those guys would have had so much more fun with access to Bernie's Amazon account.

4chan /b/ Verification method:

[bmo]

This sounds exactly what 4chan users on /b/ have been using for identifying if OP is really delivering.

"Shoe on head."
"Sharpie in pooper."

--
BMO

as someone with Parkinsons, how about...

[dAzED1]

As someone with Parkinsons that already has enough problems using modern phones since they all want to do guestures and hover crap, and it has to be turned off per-app, can't be globally (at least, on android), how about a big fark you. I don't need someone telling me my smile isn't an adequate smile at 2am, just because I can't really control my face.

Re:Photo in front of the camera

[Dragonslicer]

"Siri. There's a manic with an axe breaking down my door. Call the police."

Did you miss the news story just within the last couple days about how terrible voice assistants are at stuff like that?

You know

[stackOVFL]

I had a similar idea for but for Git. I asked one of the SW guys to write a Microsoft Kinect interface for Git. I'd use a middle finger going side to side to commit and thrusting the middle finger up and down would be a push. Now, two double fingers moving rapidly but in any direction would be a merge (because that's what everyone does when that tool merges any file). A shaking fist would be a pull (normally after a merge following the deletion of the merged file).

Re:lolno

[jenningsthecat]

Only if I can use a picture of my actual asshole.

Your friend or significant other could also use a picture of his or her 'actual asshole' - and then Amazon would have an image of your face anyway!

They better make them optional

[Nightjed]

I am not going to use biometrics to authenticate shit

You can only get your biometrics stolen ONCE, after that big effing luck changing your eye signature or your fingerprints

You have littered the whole internet with your facebook and instagram pictures in a while variety of pictures

Media ppl specially, there are thousands of hours of high resolution video of your face in a wide variety of poses, you are soooooooo screwed

Lazy ppl unwilling to remember passwords are going to be the end of us

Just send them rfid/usb Tokens that generate hashes with a secret seed or that stores a long table with random values loaded by Amazon themselves, stop it with the biometrics nonsense

a plan ...

[PinkyGigglebrain]

1 get photos of person. 2 use photos to create a skin for a Hi rez CG animation program 3.use CG animation program to trick authentication software. 4.Profit!

Doing things is easy

[Alain+Williams]

Getting a BOT to do things upon command is easy. There is going to be a limited number of things that can/will be asked for, these can be pre filmed/rendered in advance. If they do come up with a new required antic - then you don't get to login; is that a problem? Breaking 10% of accounts mechanically still gets you into lots of accounts.

10 years ago The Subservient Chicken was doing this. It was bought by Burger King .... now all that remains is an inane video.

Re:Photo in front of the camera

[Darinbob]

Except that it's more like replacing a secure mechanism with a less secure one that's more convenient. The problem they're trying to solve is to make it easier to get a low level of security for people who think passwords are too confusing.

Re:Milton Berle

[TapeCutter]

My grandfather's generation (WW1 era) understood electrical wiring as a kind of plumbing, many never trusted it because early systems had a bad habit of shorting and burning the building down. As recently as the 60's-70's he and many others believed that if you left a wall socket switched on, electricity would leak out and cost you money, or worse still, start a fire.

So, now I can use a picture to steal credentials?

[Chalnoth]

It might require a little bit of sophistication to create the software that would make an image respond to the requested gesture, but this would pave the way for credentials to be stolen (permanently) by just taking a picture of a person.

Somehow I don't think this is a good idea.