Selfies could replace security passwords – but only with an upgrade

A driver in Malaysia who had a fingerprint authentication system fitted to his new Mercedes S-class in 2005 found out the painful way that some biometrics can be stolen. When thieves discovered that his car could only be started with a fingerprint, they promptly stole his finger along with his car.

A simple voiceprint can likewise be stolen. All you need is a good quality recording of the person speaking. The same is true for systems that require a user to speak a fixed passphrase or PIN. Interactive systems using a challenge-response protocol (e.g., asking a user to repeat an unusual phrase) would raise the difficulty level for attackers, but can be defeated by current technology.

Face recognition (such as that used to identify selfies), lip reading, and iris pattern recognition are all visual methods that could possibly be stolen or spoofed by pictures or video images.

More biometric data
The solution appears to be either making use of additional secret information (which means yet more to remember) or to combine different types of biometric information. Unfortunately, methods that require a camera are sometimes of limited use: the user must face a camera, for example, must not have glasses or clothing obscuring their face and eyes, will require adequate lighting – and the system probably should not be used while in the bath.

Other researchers are investigating the biometric potential of capturing an individual’s unique brainwaves with a headset or, more recently, with earphones. But such technology is in its infancy.

One future technology being developed for mobile devices is an ultrasound scanner that maps part of the face shape of a person speaking. This is not just a snapshot of the face, but a recording of how the mouth of the speaker moves as the words are spoken. The biometric aspect is not just confined to the sound of the voice but includes the way the mouth shape changes as the voice is produced. The required hardware is even built into most smartphones already.

Imagine walking into a bakery and picking up a crusty farmhouse loaf. You take it over to the baker and say “I would like to buy this, please.” “That will be two pounds, do you wish to proceed with the purchase?” replies the baker. “Yes, please proceed,” you say, and wait for their “Okay” before walking out with your loaf. No cash, no payment card and no personal details divulged.

It might sound like a scene from a bygone era when you knew your local baker and maintained an account with them. But it is, in fact, a future that researchers are working hard to enable. Your smartphone will employ voice authentication and speech recognition technology to authorise the payment with your bank who will confirm the transaction electronically with the baker. Meanwhile, a point-of-sale video recording of the transaction will be lodged with both your bank and the bakery. So while you shouldn’t throw away your passwords just yet, you can expect some exciting developments in this area over the next few years.

Ian McLoughlin is Professor of Computing, Head of School (Medway), University of Kent. This article is published courtesy of The Conversation (under Creative Commons-Attribution/No derivative).