back to article Meet the grin reaper: Password manager now snaps login SELFIES

Forget master passwords, literally. Password manager LogmeOnce has come up with a new-ish way to log into websites – selfies. The cloud-based biz told El Reg today it has added a new PhotoLogin option which takes a photo of you and uses it to unlock the services you're trying to access. It works by getting you to take a …

  1. Anonymous Coward
    Anonymous Coward

    Pull the black tape off my camera every time I need to log in to something? No thanks.

    1. Anonymous Coward
      Anonymous Coward

      Use a USB webcam then. Then you can simply un-plug it.

      (For me, that's my only option anyway as this laptop lacks a webcam.)

    2. Anonymous Coward
      Anonymous Coward

      "Pull the black tape off my camera".

      I'd suggest something designed to be a balanced measure of security and convenience (oh that's sooo subjective) isn't for you. Mebbe one of those plastic slidey shutter things vendors give away at Infosec as an upgrade? Don't forget a blast of cavity insulation into the mic port if you can find it (no idea where mine is).

      1. Anonymous Coward
        Coat

        Oh, I don't mind if they...

        listen in to me singing in the shower. Just don't watch me getting undressed!

  2. allthecoolshortnamesweretaken

    Sounded very promising - until I got to the cloud-based bit. So thanks, but no thanks.

  3. Anonymous Coward
    Anonymous Coward

    Stupid

    What's wrong with an app on the phone that produces one time codes? You can have it protected by a password, a PIN, a fingerprint, facial recognition or whatever your phone supports, or nothing at all if you wish to assume your phone won't be lost or stolen.

    I currently use this system for logging in to a corporate VPN, but I have to use an external device that uses a smart card. I wish I could just use an app since I have my phone with me all the time anyway. I wonder if Apple built something like that into iOS and supported loading certificates if corporate IT security types would be interested in supporting it? Then you wouldn't need an app for LogMeIn, an app for Cisco, etc. but even that is a better idea than this ridiculous selfie scheme.

    1. Anonymous Coward
      Anonymous Coward

      Re: Stupid

      A vulnerability could compromise the one-time pad stored on the phone. It's basically a very long password that's sent and checked piece-wise, and so requires much the same precautions.

      1. Anonymous Coward
        Anonymous Coward

        Re: Stupid

        Store the one time pad in the secure enclave, and problem solved. That's why you need it added as a built in 'official' app, rather than letting various third parties cook up their own (since they have no access to the secure enclave)

    2. Anonymous Coward
      Anonymous Coward

      Re: Stupid

      RSA can be used with a phone app instead of a physical fob. Don't know about other 2FA systems but I would be surprised if they didn't offer this.

    3. Anonymous Coward
      Anonymous Coward

      Re: Stupid

      This is a software token (vs a hardware token that is either a 'personalised' fob i.e. unique to you or a generic card reader such as is issued by the banks where the personalised bit is the bank/smart card itself). Most strong auth vendors have software tokens that typically run on iOS/Android/Windows/Mac/BB with the smartphone ones being the most commonly used. I'll leave it to you to ask your IT service desk about the provision and use of such tokens and the respective vendors to argue the case over the relative security of each.

  4. benderama

    I can see this being useful if you held up today's frontpage.. or page3 girl. Do they still have those?

  5. Anonymous Coward
    Anonymous Coward

    "The pictures self-destruct after one minute."

    Suuuuuuuuure they do.

  6. shane fitzgerald

    Photos?

    So if you just hold up a photo of the person you want to steal passwords from to the camera - yay your in! - How is this safe??

    1. Flocke Kroes Silver badge

      Re: Photos?

      Read the article.

      That was my first thought when I read the title, but facial recognition software is not used for this form of authentication. The photo is sent to the victim's phone, and whoever has access to the phone decides if the log in is to proceed.

      If you do not want to remove the tape covering your camera, just pick a random picture off the internet. If the same one arrives on your phone then you can log in while inserting garbage into the facial recognition database LogMeOnce is quietly constructing. I get the impression their computer is going to think that all techies look like Paris Hilton.

      1. Lee D

        Re: Photos?

        Better question:

        How this is any easier or better than:

        "A user at IP x.x.x.x just tried to log into your account. If this is you, please press Accept. Otherwise press Reject"?

        Because, for sure, I can't think of anything else that would make a difference between those systems. "I could send you a fake request with a fake IP"? If I didn't request login, why would I press it. And if I got four or five logins at the same time as I login, then honestly you're compromised anyway because someone KNEW you were logging in at that point.

        And any serious usage of both systems is likely to be hindered by automated spam after a while. After the tenth incident of someone not you trying to log in, you're just going to turn the feature off to stop it bothering you.

        A compromised device is game over anyway. They might not be able to fake the photo but they'll just wait until the photo is from you and then intercept it to gain your login or whatever.

        I don't think this is anything new, groundbreaking, or useful over system that already exist (like just getting an email / notification whenever I access my account - even my server host does this "You just logged into your manager control panel. If this was not you...").

        1. VinceH

          Re: Photos?

          "I don't think this is anything new, groundbreaking, or useful over system that already exist (like just getting an email / notification whenever I access my account - even my server host does this "You just logged into your manager control panel. If this was not you...")."

          Quite so. As you say, the photo isn't necessary - a simple confirmation request will achieve the same thing*. I'm inclined to think, therefore, that the photo aspect screams of, at best, gimmick. At worst, it's smoke and mirrors - a veil to make people less inclined to think about it to assume there's face recognition involved.

          * And both are useless if your phone is stolen. You can still get in by use of the password - actual security - but if your phone's unprotected, then the photo or confirmation methods would provide you with less security than a padlock made of cheese.

          1. Lee D

            Re: Photos?

            Well. At least a padlock made of cheese would keep the lactose-intolerant away...

          2. Anonymous Coward
            Facepalm

            Re: Photos?

            It could also be partially hackable... as a third party, say sitting on the desk behind the mark, send a request to login seconds before the mark tries to log in...

            They get a picture of anything (though social engineering may help). They are expecting *their* photo, so click it before logging in (muscle memory out paces the though processes). They quickly realise it was not their attempt, phone/email the app makers, get put on hold, while the crim pilfers their account details etc.

            I agree on the cheese though!

        2. Just Enough

          Re: Photos?

          "And if I got four or five logins at the same time as I login, then honestly you're compromised anyway because someone KNEW you were logging in at that point."

          For work related accounts, it is a reasonable guess to attempt this around 9am. Or 8am. There's a fair chance that the targeted account holder will be logging in around then. And if they do not expect to get two requests at the same time, they're likely to just accept the first one they see, assuming it's from themselves. By the time they notice the second one queued up, it's already too late. This is where the photo comes into play. You don't accept the request that doesn't feature you, dressed as you are.

          The one weakness I can see is if someone manages to get hold of past photos from previous logins.

  7. Anonymous Coward
    Anonymous Coward

    Big Brother

    is watching you.

  8. Lostintranslation

    It's fiine until...

    It's fine until someone steals your bag containing both your laptop and your phone.

  9. Seajay#
    Thumb Down

    Terrible idea

    1. If someone has your phone, they have your master password. They just need to take a picture of a blank wall then accept it on the phone.

    2. LogmeOnce knows all your passwords so once it is hacked, everyone will know all your passwords. It's certain to get hacked, even the mighty LastPass was but they were saved by the fact they don't actually know their users' master passwords.

    3. You have to allow your browser access to the webcam, which you might not want to do.

    4. In return for this lack of security, you get less convenience not more. If the computer doesn't have a webcam, you'll have to use the master password anyway so you'll have to memorise it. Does typing in an already memorised password really take more time and effort than taking a selfie then accepting it on your phone?

    Worst of all, point 2 applies even if you decide not to use this feature.

    1. Rimpel
      Thumb Down

      Re: Terrible idea

      re 2. they claim they don't

      " Each user has his or her own access and encryption key, and no one else knows what that key is. LogmeOnce’s employees and servers do not have access to your credentials"

      I agree with your other points though. And taking a photo adds no more security than any other 2FA, personally using google authenticator or a push notification like google have just introduced is far more convenient.

      If they don't have your master password you will have to enter it, so you can't 'choose to no longer type it in' (from the article)

      1. Seajay#

        Re: Terrible idea

        You're right, they do say that on their Features page. But they also say on https://www.logmeonce.com/photologin/ "No passwords needed here! When it’s time to log in, simply pose for a photo."

        How can both of those be true?

        The only way I can see that working is if your decryption key is stored on your phone (non password protected). When you accept a photo, the key is used to decrypt your password vault. However, you're viewing your account on a PC not on your phone so your decryption key must get transferred to the logmeonce servers then passed on to your PC. They might not be storing your decryption key but it must be passing through their server and across the internet twice in this transaction, which is only slightly better.

  10. Stevie

    Bah!

    So no-one else caught the need to carry two devices around to use this on-the-go?

  11. Joew2014

    LogmeOnce PhotoLogin

    Full disclosure: I am a beta user of PhotoLogin. I want to clarify a few things as this report makes wrong assumptions and so do some of the comments.

    1. You have multiple options to save your passwords with LogMeOnce, in your desktop, cloud or a USB. Your credentials get encrypted locally in your own machine. Their website shows it’s been this way for years.

    2. You don’t need any passwords with PhotoLogin, not even a master password.

    3. A hacker trying to hack into your account doesn’t know if you covered your camera or you don’t have a webcam. This PhotoLogin gives you your photo and a bunch of metadata with each login attempt, like the date and time it’s made, GPS address and IP info. You can also add in other ways to authenticate your identity like your fingerprint

  12. benderama

    The picture itself can be used as code too.

    If I'm snapped holding a stapler, it's all good. If the picture shows me holding scissors, send help asap.

    If it's Monday before lunch, I should be holding an apple. If it's Tuesday after dinner, I should be holding a 12in black rubber dildo.

  13. Jin

    Authentication by selfies ruins the security of password protection.

    They seem to be badly misinformed.

    Authentication by biometrics usually comes with poorer security than PIN/password-only authentication as illustrated in this video.

    https://youtu.be/5e2oHZccMe4

  14. %%#root

    What could go wrong

    Does the app protect against malware wrapping on handheld devices? Such as using .bmp versions of text to display things on screen instead of text "strings" sent to the display?

    If not the malware will just click confirm all by itself after any unmatching request and they'll have all your passwords for EVERYTHING banking etc. don't be lazy ppl. This app has potential, huge potential to make people more lazy. But if done right it could be useful for no critical stuff like fb twitter register login etc

  15. Joew2014

    You are wrong

    Full disclosure, as I am PhotoLogin beta user.

    Your theory will not apply because you are making assumptions and might have misunderstood how PhotoLogin works. Your assumption means that 1) the hacker is actually present at the victim’s physical location, using the exact same computer and same IP address plus the victim's phone 2) the hacker already has the victim’s computer password, mobile phone’s PIN, and Victim’s PIN or fingerprint to his LogMeOnce account.

    Is this really a scenario anyone should worry about?

    I am sure you are aware of an unrelated hack, called keyloggers, that simulates keyboard action for computers. That is a huge, actual risk, and security experts advise using two-factor authentications to combat it. What you are saying is that it's ok to be lazy, by relying on a lone password with a single protective layer, but do not go for Two-Factor Authentication! Your theory and suggestions are against what security experts advise.

    With PhotoLogin, LogMeOnce is using multiple factors of authentication, Passcode, Photo, device step up, and the PIN. And Two-Factor Authentication is running in the background. Keep in mind the photo in this program self-destructs in 60 seconds, and captcha kicks in after 5 attempts! Without PhotoLogin, end users are relying on a lax 4 or 6 digit passcode…!

  16. Pango
    FAIL

    Gimmick much?

    I honestly don't see how this is secure. Its totally unnecessary. There are far better, more secure and cross platform alternatives available. I use Keeper, which is extremely secure and works with both my browser and my cell phone. I would definitely recommend that as an alternative to this nonsense.

  17. This post has been deleted by its author

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021