Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Technology Combines Lip Motion and Passwords For User Authentication (bleepingcomputer.com)

Posted by BeauHD on from the two-in-one-solution dept.

An anonymous reader writes: "Scientists from the Hong Kong Baptist University (HKBU) have developed a new user authentication system that relies on reading lip motions while the user speaks a password out loud," reports BleepingComputer. Called "lip password" the system combines the best parts of classic password-based systems with the good parts of biometrics. The system relies on the uniqueness of someone's lips, such as shape, texture, and lip motions, but also allows someone to change the lip motion (password), in case the system ever gets compromised. Other biometric solutions, such as fingerprints, iris scans, and facial features, become eternally useless once compromised.

54 comments

  1. Forgetting passwords on the workplace by Anonymous Coward · · Score: 1

    Hey Mike, what's my password again?

    I has been flyingpig69 for the last two months boss.

    Thanks, I'm really liking this secure authentication system you've installed.

  2. Why not just demand passphrases instead? by Anonymous Coward · · Score: 3, Insightful

    And passphrases of at least 15 characters, with no ridiculous rules such as 'Must use a capital letter, a number, a non-alphanumeric character' etc.
    The general public must be so incredibly stupid that they can't even create decent passwords.

  3. Speak password out loud? by Anonymous Coward · · Score: 0

    What's the point everyone's gonna hear you

    1. Re:Speak password out loud? by Anonymous Coward · · Score: 0

      So what. Their lips don't have the same shape and their lip motion is different. That's the point.

    2. Re: Speak password out loud? by Anonymous Coward · · Score: 0

      If someone has a lipstick

    3. Re:Speak password out loud? by geekmux · · Score: 2

      So what. Their lips don't have the same shape and their lip motion is different. That's the point.

      No, not quite. The point is don't try and sell this as a "combined" security model when one half of the system is essentially compromised, simply by using it as intended.

      Unfortunately, the other half of this system will ensure the entire thing is marketed as the best "multi" factor authentication solution in the entire universe.

    4. Re:Speak password out loud? by Anonymous Coward · · Score: 1

      Not even that. The lips movement is extremely easy to capture with a video camera accurately. And once you have a video capture of the lips it will be somewhere between trivial and hard to make a fake 2D or 3D model that will repeat the password.

      So instead of having to video someone's keyboard as they type their password you only need to film someone's face.

    5. Re:Speak password out loud? by Gaygirlie · · Score: 2

      They meant "mouthing the password," it's just poorly worded. There's e.g. the excerpt of "Third, lip passwords don't rely on speech recognition, meaning they can be used in noisy environments." in the article, which obviously wouldn't work if you had to actually say the password out loud -- the background noise would just drown you out. The system just relies on lip shape and mouth movement, not actually hearing anything.

    6. Re: Speak password out loud? by Anonymous Coward · · Score: 1

      or if someone gets punched in the mouth. or if someone is drunk. or if someone is having a stroke.

    7. Re:Speak password out loud? by rmdingler · · Score: 1
      This method might actually strengthen many folks' current access to protected information.

      Read my lips: p-a-s-s-w-o-r-d

      --
      Happiness in intelligent people is the rarest thing I know.

      Ernest Hemingway

    8. Re:Speak password out loud? by NotInHere · · Score: 2

      Yes, but if that is the point, why not let the user speak the username instead of the password? After all if you say it out loud, it can be intercepted much more easily (not all people are proficient with reading people typing keystrokes, although you should consider this too, and probably cover yourself when you type in your password), so there is no sense in keeping the spoken phrase secret.

    9. Re: Speak password out loud? by Anonymous Coward · · Score: 0

      Then you'll be able to conveniently type in the password... ðY

    10. Re: Speak password out loud? by Anonymous Coward · · Score: 0

      Jesus does not approve of your lifestyle. Repent, sinner. Beg for the Lord's forgiveness, so that you may receive mercy rather than spend eternity in the fires of hell.

    11. Re: Speak password out loud? by war4peace · · Score: 1

      Allowing a repeatedly out-loud-spoken password to be typed kind of defies the point of the whole system, doesn't it?

      --
      ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
    12. Re:Speak password out loud? by skids · · Score: 1

      Damn "cold sore". Now I can't get into my account. Musta mouthed too many passwords.

      --
      Someone had to do it.
    13. Re: Speak password out loud? by Anonymous Coward · · Score: 0

      repeatedly out-loud-spoken password

      Not so much a password then is it? Unless you are in complete isolation at the time you say it.

      "Oh, we're so clever, they'll love this one."

      Right, because saying, "one-I-d-i-o-t-Exclamation-Mark-Pound-Pound-Ampersand-six-A-l-p-h-a-C-h-a-r-l-i-e", Wasn't going to get annoying after the first three times someone had to repeat it...

      Or the fact that you'd have to be sitting at arms length from the machine, (for the camera to get a good look at you), and your face unobscured. So no headset for you to whisper into.

      Why don't they just get rid of the password-only shit already? Use 2FA. Passwords are easy to crack with rainbow tables (assuming you get the target's password db), basic snooping around on social media (passwords are based on what you know), or compromising a password manager (either the manager itself or the device it runs on). Using only passwords does not help. Nor does biological data that can't be changed once compromised. Or something that requires the computer to "think" about a given context. (We don't have hard AI yet.) Or a authentication method that practically requires user isolation to be secure. These methods WILL NOT WORK IN A REAL WORLD CONTEXT. So quit trying to reinvent them. You are doing all of us a disservice by doing so.

  4. So that means by thinkwaitfast · · Score: 3, Funny

    I have to take the bandaid off the camera on my laptop to protect my cat pictures.

    No thanks

    1. Re:So that means by Obfuscant · · Score: 1
      You've hit it almost on the head. This isn't about better security, it's about worse. It's a Chinese plot to force us all to untape the cameras on our laptops hoping we'll forget to retape them after logging in, and then they can spy on us. And they'll get to see whatever the background is while we're logging in.

      Remember, don't leave large blueprints containing intellectual property taped to the wall behind you when you log in to your terminal or all your bases will belong China.

    2. Re:So that means by thinkwaitfast · · Score: 1

      That was my point...with a bit more subtlety.

  5. What about imparements and videos? by Tomahawk · · Score: 2

    What happens if someone suffers, say, stroke and part of the face is paralysed. Or they have Botox?
    I suppose there has to be a backup to allow someone to reset their password in such cases, or in cases where they forget it. This backup may prove to be a weakness.

    What happens if I record a video of my boss uttering his password, and then show the video to the camera?

    1. Re: What about imparements and videos? by Anonymous Coward · · Score: 0

      ya even facial you can input your pass if needed.

    2. Re: What about imparements and videos? by Anonymous Coward · · Score: 0

      A backup would be a DNA sample deposit off your vagina

    3. Re:What about imparements and videos? by reboot246 · · Score: 1

      What happens after a visit to your dentist when the whole bottom half of your face is numb?

    4. Re:What about imparements and videos? by mwvdlee · · Score: 1

      On the other hand, it's great protection against drunk emails.

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    5. Re:What about imparements and videos? by BarbaraHudson · · Score: 1

      Or goes to the dentist?

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
  6. i take it by Anonymous Coward · · Score: 0

    its not the word your saying but the unique biometrics of the lips so it can change with what ever you say where as a finger print or facial/iris do not change.

    1. Re:i take it by Anonymous Coward · · Score: 0

      Until you're punched in the face, have a dentists appointment, or have a run in with a bee.

  7. 2001 : A Space Odyssey by Anonymous Coward · · Score: 2, Insightful

    Dr. Frank Poole: Okay. Well look Dave. Let's say we put the unit back and it doesn't fail uh? That would pretty well wrap it up as far as HAL was concerned wouldn't it?

    Dave Bowman: Well, we'd be in very serious trouble.

    Dr. Frank Poole: We would, wouldn't we. What the hell could we do?

    Dave Bowman: Well we wouldn't have too many alternatives.

    Dr. Frank Poole: I don't think we'd have any alternatives. There isn't a single aspect of ship operations that isn't under his control. If he were proven to be malfunctioning I wouldn't see how we'd have any choice but disconnection.

    Dave Bowman: I'm afraid I agree with you.

    HAL: I know that you and Frank were planning to disconnect me, and I'm afraid that's something I cannot allow to happen.

    Dave Bowman: Where the hell did you get that idea, HAL?

    HAL: Dave, although you took very thorough precautions in the pod against my hearing you, I could see your lips move.

  8. Biometrics by Anonymous Coward · · Score: 1

    Biometrics should be used for IDENTIFICATION, not AUTHENTICATION.

    There is nothing wrong with a fingerprint or iris in lieu of a user name. I don't change that when the databases scattered all over creation get individually compromised.

  9. The Irony of this Security. by geekmux · · Score: 4, Interesting

    So, we've reached a point where a user actually has to say their shitty password out loud in order to obtain better security?

    Let me put my boots on so I can wade through the irony.

    Oh, and not to nitpick or anything, but this is hardly combining functionality to create better security when your password is known to anyone within earshot of you authenticating. One half of that system is basically compromised simply by using it as intended.

    1. Re:The Irony of this Security. by Anonymous Coward · · Score: 0

      > One half of that system is basically compromised simply by using it as intended.

      Not if you're a ventriloquist.

    2. Re:The Irony of this Security. by Anonymous Coward · · Score: 0

      So other's also get to see your ass...
      Not bad...

      I wouldn't mind if pretty girls would do that kind of password protection. Though would mind fat cats management doing it.

      Captcha: ambush

  10. I cannot do this. by LordHighExecutioner · · Score: 3, Funny

    My passwords are way too embarassing to be said loudly in presence of my coworkers.

    1. Re:I cannot do this. by Coisiche · · Score: 1

      The article says it doesn't actually rely on sound, so you could do it voicelessly. Although the various speech articulators in your mouth can operate differently if you do something voicelessly so it's probably not something you could switch between when using it privately.

    2. Re:I cannot do this. by RavenLrD20k · · Score: 1

      Let me guess: Ih8myJ0b1

    3. Re:I cannot do this. by Anonymous Coward · · Score: 0

      My passwords are way too embarassing to be said loudly in presence of my coworkers.

      +++

    4. Re:I cannot do this. by ole_timer · · Score: 1

      lol

      --
      nothing to see here - move along
  11. It's a gesture by tomhath · · Score: 1

    When you type a password by moving your fingers you are making a gesture. Or you can speak a passphrase and make the gesture with your mouth. Either works for authentication; the advantage of speaking the word versus tapping on the keyboard is that it's harder for someone else to duplicate.

    1. Re:It's a gesture by BarbaraHudson · · Score: 1

      People don't always type using the same method. Sometimes a touch typist will have a cup in one hand and hunt-n-peck with the other. Gestures are crap. I give the whole concept the middle finger gesture.

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
    2. Re:It's a gesture by Anonymous Coward · · Score: 0

      People don't always type using the same method

      True, but a good key logger could record your typing style, and it certainly could record your password when you type it in. Put your middle finger where the Sun won't shine on it.

    3. Re:It's a gesture by Obfuscant · · Score: 1

      the advantage of speaking the word versus tapping on the keyboard is that it's harder for someone else to duplicate.

      And the disadvantage is that anyone within earshot can hear what your password is.

      This is why I absolutely loathe voice operated call directors. I'm in an office with other people and I have to tell everyone what I'm doing, instead of simply silently pushing a few buttons. Usually it winds up with me shouting "HUMAN BEING" or "GET ME A DUCKING PERSON" when the voice detection system doesn't have the option I need.

      Of course, the fact that they are poorly programmed to start with, asking questions like "are you calling about a current account or opening a new one?" and don't understand when I answer "yes".

  12. Beards? by petes_PoV · · Score: 2

    This seems to assume that the camera can see an individual's lips.

    --
    politicians are like babies' nappies: they should both be changed regularly and for the same reasons
  13. Alabama Redneck Identification System by Muckluck · · Score: 1

    Here in Alabama, we already have a spectacular biometric system called RIN - the Redneck Identification System.

    At each door we have a spitoon. When you approach the door, you spit into the spittoon and say anything you want. The spit velocity and composition is analyzed and the drawl of the speech is measured. No "southern bio" match, no ID match.

    Dave doesn't chew Skoal and is always dead center in the pan - IMPOSTER DETECTED. GIT 'EM BOYS!

    --


    --I like turtles...
  14. Not "eternally useless" once compromised by Striek · · Score: 1

    Other biometric solutions, such as fingerprints, iris scans, and facial features, become eternally useless once compromised.

    No. They do not. This is a rather common misconception. Granted, you can never change these things - which is an inherent weakness, but they do not become "eternally useless". I may have your fingerprint - but I can not fool every fingerprint reader on Earth. Better fingerprint readers are invented - each successive generation being harder to fool. Iris scans and facial recognition are much the same. You may be able to fool the scanners of today, but not necessarily the scanners of tomorrow. You may be able to fool some scanners, but not all scanners.

    I can place a security guard at the scanner - thus ensuring that a rubber finger (or a gummy bear), or a picture of your face, is not being used, much like an extremely cheap lock can be very effective if someone can monitor it to ensure it is not picked. They do not become eternally useless. They are still, and always will be, an additional measure, not to be used in isolation.

    --
    "Government is like fire; a handy servant, but a dangerous master." -- George Washington
    1. Re:Not "eternally useless" once compromised by Cro+Magnon · · Score: 1

      So, my ability to not be compromised depends on someone else installing better security on their end?

      --
      Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
    2. Re:Not "eternally useless" once compromised by Striek · · Score: 1

      Yes, exactly. And passwords are no different. Any credentials stored with a third party are at a risk level determined by the security measures in place there. Passwords are dependent on proper hashing and salting, and the current level of computational power available to crack them (among other things), and fingerprint records are only as secure as current technological sophistication will permit. We've always needed to have some level of trust in authentication providers, and I don't think biometric records are any different in that regard.

      The difference, of course, is that you can't change your fingerprint, and you're dependent on the advancing state of technology. Still though, they are a useful additional factor when employed with full knowledge of their weaknesses.

      --
      "Government is like fire; a handy servant, but a dangerous master." -- George Washington
  15. Technically by DrYak · · Score: 1

    The point is don't try and sell this as a "combined" security model when one half of the system is essentially compromised, simply by using it as intended.
    Unfortunately, the other half of this system will ensure the entire thing is marketed as the best "multi" factor authentication solution in the entire universe.

    From a pureley technical point of view, it *is* a multifactor :
    - something you have/are : Your lips (or more precisely : their peculiar shape and your personal way to move them when making some sounds).
    - something you know : A certain order in which you present the above lips motions (though it's linked to the sound you're making, and if somebody can over-hear you, they have a decent starting point at guessing what motions you where doing with your mouth).

    Currently, it's not being marketed *for being multi factor*.
    Currently, it's being marketed for the fact that you *can* change the "something you have/are" part. It's a changeable-type of password/biometric, which is unusual among other biometrics where you can't change the "something you are" part (you can't easily grow an extra finger with a new fingerprint whenever a previous one was compromised - using gumy bears or whatever).

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  16. PIN code by DrYak · · Score: 1

    These kind of "biometrics unlock" (like also a fingerprint scan) are used as a quick way to unlock instead of having to input a strong password.
    They're the equivalent of a PIN code, not the equivalent of a 16-characters long strong password.

    So if you can't lip/mouth your biometric pass, you simply do as you would if your finger was unavailable (= harmed, and covered with a band-aid) for fingerprint scans:
    you type instead the strong unlocking password to log-in.

    Now the problem is that you probably use your PIN-like biometric because it's faster and easier, and thus avoid using the strong password.
    And thus by never using it, there's a risk that you'll forget it.

    Seriously, how many people around here know the PUK to unlock their SIM card, as opposed to the PIN ?

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  17. The password isn't the password. by DrYak · · Score: 2

    The password here (i.e.: the word that is spoken) isn't what plays the role of password (it's not the actual word itself that unlocks the machine).
    As mentionned, this technology doesn't use any voice recognition.

    The thing which acts as a password (the thing which decides to unlock or not) is the particular way in which your mouths moves when composing the sound of the word.
    The word only plays the role of a mnemonic : a thing that helps you remember the combination of elements - i.e.: the order of mouth movement that you need to do to unlock the session.

    You could try to do the same motion noiselessly if you want (and if you actually manage to do the same lip motions).

    ---

    Now, there's a strong correlation between sounds and lip motions, and somebody over hearing you would have a good starting point at trying to guess what your camera sees.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  18. It cannot work! by ctrl-alt-canc · · Score: 1

    My password is "rrrrrrrrrrrr" (12 times 'r'). Now read my lips, and try to get the difference between "rrrrrrrrrrrr", "rrrrrrrrrrr" (11 times 'r') and "rrrrrrrrrrrrr" (13 times 'r')...

  19. 3 Factors by JasterBobaMereel · · Score: 1

    Password, Passkey, Biometrics
    Something you know, something you have, something you are

    aka
    Something you forget, Something you lose, something you no longer are ...

    --
    Puteulanus fenestra mortis
  20. finally by bugs2squash · · Score: 1

    my inability to read or type anything without moving my lips is a security bonus.

    --
    Nullius in verba
  21. But... by Anonymous Coward · · Score: 0

    I'm Stephen Hawking, you insensitive clod!

  22. It's kinda like that ST:TNG episode... by holykami · · Score: 1

    Computer, establish a security code for access... One - Seven - Three - Four - Six - Seven - Three - Two - One - Four - Seven - Six - Charlie - Three - Two - Seven - Eight - Nine - Seven - Seven - Seven - Six - Four - Three - Tango - Seven - Three - Two - Victor - Seven - Three - One - One - Seven - One - Eight - Eight - Eight - Seven - Three - Two - Four - Seven - Six - Seven - Eight - Nine - Seven - Six - Four - Three - Seven - Six - LOCK!