New Technology Combines Lip Motion and Passwords For User Authentication

An anonymous reader writes: "Scientists from the Hong Kong Baptist University (HKBU) have developed a new user authentication system that relies on reading lip motions while the user speaks a password out loud," reports BleepingComputer. Called "lip password" the system combines the best parts of classic password-based systems with the good parts of biometrics. The system relies on the uniqueness of someone's lips, such as shape, texture, and lip motions, but also allows someone to change the lip motion (password), in case the system ever gets compromised. Other biometric solutions, such as fingerprints, iris scans, and facial features, become eternally useless once compromised.

Why not just demand passphrases instead?

And passphrases of at least 15 characters, with no ridiculous rules such as 'Must use a capital letter, a number, a non-alphanumeric character' etc.
The general public must be so incredibly stupid that they can't even create decent passwords.

So that means

[thinkwaitfast]

I have to take the bandaid off the camera on my laptop to protect my cat pictures.

No thanks

What about imparements and videos?

[Tomahawk]

What happens if someone suffers, say, stroke and part of the face is paralysed. Or they have Botox?
I suppose there has to be a backup to allow someone to reset their password in such cases, or in cases where they forget it. This backup may prove to be a weakness.

What happens if I record a video of my boss uttering his password, and then show the video to the camera?

2001 : A Space Odyssey

Dr. Frank Poole: Okay. Well look Dave. Let's say we put the unit back and it doesn't fail uh? That would pretty well wrap it up as far as HAL was concerned wouldn't it?

Dave Bowman: Well, we'd be in very serious trouble.

Dr. Frank Poole: We would, wouldn't we. What the hell could we do?

Dave Bowman: Well we wouldn't have too many alternatives.

Dr. Frank Poole: I don't think we'd have any alternatives. There isn't a single aspect of ship operations that isn't under his control. If he were proven to be malfunctioning I wouldn't see how we'd have any choice but disconnection.

Dave Bowman: I'm afraid I agree with you.

HAL: I know that you and Frank were planning to disconnect me, and I'm afraid that's something I cannot allow to happen.

Dave Bowman: Where the hell did you get that idea, HAL?

HAL: Dave, although you took very thorough precautions in the pod against my hearing you, I could see your lips move.

The Irony of this Security.

[geekmux]

So, we've reached a point where a user actually has to say their shitty password out loud in order to obtain better security?

Let me put my boots on so I can wade through the irony.

Oh, and not to nitpick or anything, but this is hardly combining functionality to create better security when your password is known to anyone within earshot of you authenticating. One half of that system is basically compromised simply by using it as intended.

Re:Speak password out loud?

[geekmux]

So what. Their lips don't have the same shape and their lip motion is different. That's the point.

No, not quite. The point is don't try and sell this as a "combined" security model when one half of the system is essentially compromised, simply by using it as intended.

Unfortunately, the other half of this system will ensure the entire thing is marketed as the best "multi" factor authentication solution in the entire universe.

I cannot do this.

[LordHighExecutioner]

My passwords are way too embarassing to be said loudly in presence of my coworkers.

Re:Speak password out loud?

[Gaygirlie]

They meant "mouthing the password," it's just poorly worded. There's e.g. the excerpt of "Third, lip passwords don't rely on speech recognition, meaning they can be used in noisy environments." in the article, which obviously wouldn't work if you had to actually say the password out loud -- the background noise would just drown you out. The system just relies on lip shape and mouth movement, not actually hearing anything.

Beards?

[petes_PoV]

This seems to assume that the camera can see an individual's lips.

Re:Speak password out loud?

[NotInHere]

Yes, but if that is the point, why not let the user speak the username instead of the password? After all if you say it out loud, it can be intercepted much more easily (not all people are proficient with reading people typing keystrokes, although you should consider this too, and probably cover yourself when you type in your password), so there is no sense in keeping the spoken phrase secret.

The password isn't the password.

[DrYak]

The password here (i.e.: the word that is spoken) isn't what plays the role of password (it's not the actual word itself that unlocks the machine).
As mentionned, this technology doesn't use any voice recognition.

The thing which acts as a password (the thing which decides to unlock or not) is the particular way in which your mouths moves when composing the sound of the word.
The word only plays the role of a mnemonic : a thing that helps you remember the combination of elements - i.e.: the order of mouth movement that you need to do to unlock the session.

You could try to do the same motion noiselessly if you want (and if you actually manage to do the same lip motions).

---

Now, there's a strong correlation between sounds and lip motions, and somebody over hearing you would have a good starting point at trying to guess what your camera sees.