As an (ISC)2 board member, but more importantly as an executive for a large bank, I'm very interested in our community's thoughts on how to solve the authentication problem.
What worries me specifically are the sensationalized stories emerging about biometric authentication being defeated.
https://www.theregister.co.uk/2017/11/13/iphone_x_face_id/?utm_source=dlvr.it&utm_medium=facebook
My concern is that these articles tell only part of the story. In reality, most if not all "authenticators" can be defeated. The question as always, in my opinion, should be: "Is the control commensurate with the risk?" I would think that biometric face recognition is a far sight more effective than passwords (as an example) for a lot of reasons - even if it can be fooled.
I think these stories can actually be dangerous because they scare people away from using incrementally better controls. And so because of stories, like the ones above, many will opt out of the stronger biometric control in favor of using an easily guessed or phished password etc... Nothing is perfect, but some controls are less imperfect than others and we need to keep this in mind. How do we educate people toward making pragmatic and informed decisions on how to keep themselves safe??
I'm interested in your perpsectives.
Greg T.
Toronto, Canada
No, not a bad habit at all, replying to yourself. Sometimes you have a stroke of brilliance hit you after you hit Post! I know it happens to me, LOL!
What is interesting about all of this movement to facial recognition software is what happens to anonymous login potential? Can you imagine if you had to log into your device with your face and your internet postings could be verified? I know a lot of people that would be in trouble, but think about how much calmness it would add to the internet. It would have the potential to slow down or potentially stop cyber bullying as the main reason people cyberbully is because of the anonymity of the internet. Keyboard warriors can launch virtual attacks because there is no retribution. No linking (at least not in real time) of people to their posts. If there is a linking then they just claim that someone hacked them. With facial recognition they would have a harder time claiming it wasn't them. I know facial recognition can also be hacked, but just wondering out loud...
Let the privacy counter attack begin......
Ah, it was a timely story that broke.
On the feeling of observation - Charles Stross wrote a very intriguing essay on the 'Panopticon Singularity' after the Snowden breath and while it is a hymn to privacy(and no worse for it) it raises very interesting and relevant points. TL;DR- It goes back to the idea that the Victorians had that being watched, or thought that you were being watched was morally improving.
A lot of problems with biometrics come down to sampling and flat images of fingerprints, faces etc. about ten years ago someone asked me to find a solution that could continuously authenticate someone based on typing - turned out timing fro flight time and dwell time on keys could do this, but only for passwords and there was a training time, now I think it's fair to say decent learner/enough compute you could.
If the old facial recognition is like a 2D fotofit seen over TV for five seconds, the new approach of 3D mapping(with LazorS! maybe even crainial mounted on sharks) has the potential to be more like a satellite scanning and astroid - much more sampling options so much more power, and some of the challenges with more simple biometrics go away/become less of a concern. Attackers will still adapt, but use factors in combination and select them unpredictably to reduce resitance.
On privacy, yeah it's very important, but rights are balanced with responsibilities.
If we take the device vendors as three examples I kind of trust Apple to not sell me because they overcharge me anyway for shiny under specced things, Google I'm pretty sure will sell me so I don't use Android at all but I'm not so committed to my privacy that I will tolerate poor search results. Microsoft would sell me I think if it knew how, but I've come to expect them to not get the product right at first, so I figure I have time till they monetize linked in, and they can't do phones or tablets(we all know it's still a laptop).
Now if your device knows who you are and then the website/service you post on needs to AuthentorizeMeTM, maybe because of the reach/policy then it could ask your device vendor if you could be worked back to if there was a complaint and then let you. Or maybe today is your yearly hate speech day, and the service detects you and then gets your ID because of this.
Now geopolitically, from society standpoint can you get even to agree? No way, and probably should for most activity but you can limit peoples ability to post to prime services without these kinds of controls around attribution, and that might be a good thing in balance.
Another thing with facial recognition is this:
How is the computer storing your facial "hash"? Does it convert it down to a "number" (i.e. a hash)? If so, wouldn't it be that you just had to eventually find out what "number" equated to the hash of the user in order to hack them? After all, computers only know two things, 1's and 0's..........
So trust but verify - but this is pretty clear - not really for authentication alone but it's the same thing really:
https://en.wikipedia.org/wiki/Facial_recognition_system.
'Popular recognition algorithms include principal component analysis using eigenfaces, linear discriminant analysis, elastic bunch graph matching using the Fisherface algorithm, the hidden Markov model, the multilinear subspace learning using tensor representation, and the neuronal motivated dynamic link matching.'
As we see the learner is as important as the sensor.
The way I think about it(which is definitely and imperfect model) is in the 3D method used by apple the 'hash' is like a map of data points that after the system learns your face, it tries to get to a good confidence level that it's seeing your face. The more points it stores the more accurate it an be but the longer to learn, and the longer to verify. If your surface doesn't recognize you wiggle your head around slightly and it might let you in when it 'feels' comfortable.
.
That might make it tough if you went out the night before and partied too hard! I wonder how well it does baggy, bloodshot eyes and a 5'o'clock shadow?
As long as you consistently look like that then OK, especially if every weekend you do the same thing, your face would change it would be great if ISC2 could ask Nasa to have astronauts test devices on the ground and after reaching orbit. 😉
But nothing stops you combining these techniques maybe your blood vessels are still the same in IR, or face geometry or still the same.
You could combine with other factors, do you have your phone, was it unlocked, is your iWatchTM sending your HR and does it seems right? Gesture to expressions could be used easily as well.