VASCO introduces selfies as a user authenticator
VASCO introduced its selfie biometric authentication product at the RSA Conference. Yes, it uses facial recognition to identify the selfie is really a pic of the actual user. But no, criminals can't use a stored pic or a selfie shot from social media posts to get around this security system. Here's why.
"It has features that check for liveness during the several seconds that it is taking your picture - do your eyes blink, do you change your expression, etc.," John Gunn, vice president of communications at VASCO DATA Security, told me in an email.
But wait! Facial recognition can be fooled or thwarted, right?
"Yes, sometimes facial recognition can be defeated, but it is a complex attack and not practical for most hackers to execute," he said.
How then can checking for a live face be any more protection if the facial recognition is fooled?
"The process of authentication relies on facial recognition, geolocation (GPS), device ID, and more than a dozen other attributes of the user and device making the transaction request. Banks, for example, can use these features independently or together," Gunn said.
That's rather a smart play in multifactor authentication. It would be extremely difficult for even a sophisticated hacker to best every level.
Don't be surprised if selfies soon become a key factor in user authentication for consumers and enterprise employees. It would be a very good way to stop phishing attacks on executives and workers, for example. And it could be a great way to ascertain who is accessing company data, too.
However, there is a dark side to using selfies as a security authenticator. Building a database of selfies for facial recognition work leads to potential privacy problems – especially if the government gets access to those databases.
Further, criminals are likely to find their way around this too – as they will eventually for any authentication methods we're likely to invent.
Consider how this works first.
"It starts with the user taking a picture of themselves on their mobile phone. From this, a mathematical representation of the image is created, then encrypted, and then sent to the central server through a secure channel," Gunn explained.
"After this registration process has been completed, and during all future attempts to login, another image is taken of the user," he said. "This authentication image goes through the same process as described previously and then the server compares the mathematical representations of the two images to see if they match."
If a hacker were to somehow access that server, the first image could be replaced, thus making it easy to match the second false image, the selfie. Of course that would require the criminal remove both images from the server afterwards or law enforcement will have their picture.
Another potential flaw lies in the laziness of the user organization or lax rules in efforts to avoid lag which can be a real turnoff for customers.
"There are different degrees of matching that may be achieved and the bank, or user of the solution, can decide how stringent they wish to be in requiring that the images match," said Gunn.
More degrees of matching would presumably be safer, but that might also require the customer or enterprise user to wait on the system for a few seconds – and I'm talking about using this type of authentication in general, not necessarily this product specifically. I didn't think to ask about lag, if any, with this particular product.
But if there is lag, even just for a few seconds, well, I can hear the screams pelting IT and the CISO now. Everyone is in such a hurry these days and patience runs thin, especially if the procedure must be followed every time. Hence, user organizations might get lax about how many degrees of matching they require. That may in turn crack a door open for hackers.
But that's the world we live in. We have to pick the level of convenience versus risk that we're comfortable with and move on from there.
Even so, this is an impressive advance in security. Guess this means many of us will need to keep a brush and makeup handy though. Selfies as an authenticator means we'll have to take our pictures often, and who wants a bad pic stored forever on a server?
- see the press release