Pull the black tape off my camera every time I need to log in to something? No thanks.
Meet the grin reaper: Password manager now snaps login SELFIES
Forget master passwords, literally. Password manager LogmeOnce has come up with a new-ish way to log into websites – selfies. The cloud-based biz told El Reg today it has added a new PhotoLogin option which takes a photo of you and uses it to unlock the services you're trying to access. It works by getting you to take a …
COMMENTS
-
-
Wednesday 29th June 2016 07:44 GMT Anonymous Coward
"Pull the black tape off my camera".
I'd suggest something designed to be a balanced measure of security and convenience (oh that's sooo subjective) isn't for you. Mebbe one of those plastic slidey shutter things vendors give away at Infosec as an upgrade? Don't forget a blast of cavity insulation into the mic port if you can find it (no idea where mine is).
-
Tuesday 28th June 2016 22:03 GMT Anonymous Coward
Stupid
What's wrong with an app on the phone that produces one time codes? You can have it protected by a password, a PIN, a fingerprint, facial recognition or whatever your phone supports, or nothing at all if you wish to assume your phone won't be lost or stolen.
I currently use this system for logging in to a corporate VPN, but I have to use an external device that uses a smart card. I wish I could just use an app since I have my phone with me all the time anyway. I wonder if Apple built something like that into iOS and supported loading certificates if corporate IT security types would be interested in supporting it? Then you wouldn't need an app for LogMeIn, an app for Cisco, etc. but even that is a better idea than this ridiculous selfie scheme.
-
Wednesday 29th June 2016 07:49 GMT Anonymous Coward
Re: Stupid
This is a software token (vs a hardware token that is either a 'personalised' fob i.e. unique to you or a generic card reader such as is issued by the banks where the personalised bit is the bank/smart card itself). Most strong auth vendors have software tokens that typically run on iOS/Android/Windows/Mac/BB with the smartphone ones being the most commonly used. I'll leave it to you to ask your IT service desk about the provision and use of such tokens and the respective vendors to argue the case over the relative security of each.
-
-
Wednesday 29th June 2016 04:21 GMT Flocke Kroes
Re: Photos?
Read the article.
That was my first thought when I read the title, but facial recognition software is not used for this form of authentication. The photo is sent to the victim's phone, and whoever has access to the phone decides if the log in is to proceed.
If you do not want to remove the tape covering your camera, just pick a random picture off the internet. If the same one arrives on your phone then you can log in while inserting garbage into the facial recognition database LogMeOnce is quietly constructing. I get the impression their computer is going to think that all techies look like Paris Hilton.
-
Wednesday 29th June 2016 07:29 GMT Lee D
Re: Photos?
Better question:
How this is any easier or better than:
"A user at IP x.x.x.x just tried to log into your account. If this is you, please press Accept. Otherwise press Reject"?
Because, for sure, I can't think of anything else that would make a difference between those systems. "I could send you a fake request with a fake IP"? If I didn't request login, why would I press it. And if I got four or five logins at the same time as I login, then honestly you're compromised anyway because someone KNEW you were logging in at that point.
And any serious usage of both systems is likely to be hindered by automated spam after a while. After the tenth incident of someone not you trying to log in, you're just going to turn the feature off to stop it bothering you.
A compromised device is game over anyway. They might not be able to fake the photo but they'll just wait until the photo is from you and then intercept it to gain your login or whatever.
I don't think this is anything new, groundbreaking, or useful over system that already exist (like just getting an email / notification whenever I access my account - even my server host does this "You just logged into your manager control panel. If this was not you...").
-
Wednesday 29th June 2016 07:54 GMT VinceH
Re: Photos?
"I don't think this is anything new, groundbreaking, or useful over system that already exist (like just getting an email / notification whenever I access my account - even my server host does this "You just logged into your manager control panel. If this was not you...")."
Quite so. As you say, the photo isn't necessary - a simple confirmation request will achieve the same thing*. I'm inclined to think, therefore, that the photo aspect screams of, at best, gimmick. At worst, it's smoke and mirrors - a veil to make people less inclined to think about it to assume there's face recognition involved.
* And both are useless if your phone is stolen. You can still get in by use of the password - actual security - but if your phone's unprotected, then the photo or confirmation methods would provide you with less security than a padlock made of cheese.
-
Wednesday 29th June 2016 11:59 GMT Anonymous Coward
Re: Photos?
It could also be partially hackable... as a third party, say sitting on the desk behind the mark, send a request to login seconds before the mark tries to log in...
They get a picture of anything (though social engineering may help). They are expecting *their* photo, so click it before logging in (muscle memory out paces the though processes). They quickly realise it was not their attempt, phone/email the app makers, get put on hold, while the crim pilfers their account details etc.
I agree on the cheese though!
-
Thursday 30th June 2016 14:21 GMT Just Enough
Re: Photos?
"And if I got four or five logins at the same time as I login, then honestly you're compromised anyway because someone KNEW you were logging in at that point."
For work related accounts, it is a reasonable guess to attempt this around 9am. Or 8am. There's a fair chance that the targeted account holder will be logging in around then. And if they do not expect to get two requests at the same time, they're likely to just accept the first one they see, assuming it's from themselves. By the time they notice the second one queued up, it's already too late. This is where the photo comes into play. You don't accept the request that doesn't feature you, dressed as you are.
The one weakness I can see is if someone manages to get hold of past photos from previous logins.
-
-
-
-
-
Wednesday 29th June 2016 07:40 GMT Seajay#
Terrible idea
1. If someone has your phone, they have your master password. They just need to take a picture of a blank wall then accept it on the phone.
2. LogmeOnce knows all your passwords so once it is hacked, everyone will know all your passwords. It's certain to get hacked, even the mighty LastPass was but they were saved by the fact they don't actually know their users' master passwords.
3. You have to allow your browser access to the webcam, which you might not want to do.
4. In return for this lack of security, you get less convenience not more. If the computer doesn't have a webcam, you'll have to use the master password anyway so you'll have to memorise it. Does typing in an already memorised password really take more time and effort than taking a selfie then accepting it on your phone?
Worst of all, point 2 applies even if you decide not to use this feature.
-
Wednesday 29th June 2016 13:11 GMT Rimpel
Re: Terrible idea
re 2. they claim they don't
" Each user has his or her own access and encryption key, and no one else knows what that key is. LogmeOnce’s employees and servers do not have access to your credentials"
I agree with your other points though. And taking a photo adds no more security than any other 2FA, personally using google authenticator or a push notification like google have just introduced is far more convenient.
If they don't have your master password you will have to enter it, so you can't 'choose to no longer type it in' (from the article)
-
Thursday 30th June 2016 09:10 GMT Seajay#
Re: Terrible idea
You're right, they do say that on their Features page. But they also say on https://www.logmeonce.com/photologin/ "No passwords needed here! When it’s time to log in, simply pose for a photo."
How can both of those be true?
The only way I can see that working is if your decryption key is stored on your phone (non password protected). When you accept a photo, the key is used to decrypt your password vault. However, you're viewing your account on a PC not on your phone so your decryption key must get transferred to the logmeonce servers then passed on to your PC. They might not be storing your decryption key but it must be passing through their server and across the internet twice in this transaction, which is only slightly better.
-
-
-
Wednesday 29th June 2016 15:15 GMT Joew2014
LogmeOnce PhotoLogin
Full disclosure: I am a beta user of PhotoLogin. I want to clarify a few things as this report makes wrong assumptions and so do some of the comments.
1. You have multiple options to save your passwords with LogMeOnce, in your desktop, cloud or a USB. Your credentials get encrypted locally in your own machine. Their website shows it’s been this way for years.
2. You don’t need any passwords with PhotoLogin, not even a master password.
3. A hacker trying to hack into your account doesn’t know if you covered your camera or you don’t have a webcam. This PhotoLogin gives you your photo and a bunch of metadata with each login attempt, like the date and time it’s made, GPS address and IP info. You can also add in other ways to authenticate your identity like your fingerprint
-
Wednesday 6th July 2016 09:39 GMT %%#root
What could go wrong
Does the app protect against malware wrapping on handheld devices? Such as using .bmp versions of text to display things on screen instead of text "strings" sent to the display?
If not the malware will just click confirm all by itself after any unmatching request and they'll have all your passwords for EVERYTHING banking etc. don't be lazy ppl. This app has potential, huge potential to make people more lazy. But if done right it could be useful for no critical stuff like fb twitter register login etc
-
Thursday 7th July 2016 18:34 GMT Joew2014
You are wrong
Full disclosure, as I am PhotoLogin beta user.
Your theory will not apply because you are making assumptions and might have misunderstood how PhotoLogin works. Your assumption means that 1) the hacker is actually present at the victim’s physical location, using the exact same computer and same IP address plus the victim's phone 2) the hacker already has the victim’s computer password, mobile phone’s PIN, and Victim’s PIN or fingerprint to his LogMeOnce account.
Is this really a scenario anyone should worry about?
I am sure you are aware of an unrelated hack, called keyloggers, that simulates keyboard action for computers. That is a huge, actual risk, and security experts advise using two-factor authentications to combat it. What you are saying is that it's ok to be lazy, by relying on a lone password with a single protective layer, but do not go for Two-Factor Authentication! Your theory and suggestions are against what security experts advise.
With PhotoLogin, LogMeOnce is using multiple factors of authentication, Passcode, Photo, device step up, and the PIN. And Two-Factor Authentication is running in the background. Keep in mind the photo in this program self-destructs in 60 seconds, and captcha kicks in after 5 attempts! Without PhotoLogin, end users are relying on a lax 4 or 6 digit passcode…!
-
Monday 11th July 2016 14:06 GMT Pango
Gimmick much?
I honestly don't see how this is secure. Its totally unnecessary. There are far better, more secure and cross platform alternatives available. I use Keeper, which is extremely secure and works with both my browser and my cell phone. I would definitely recommend that as an alternative to this nonsense.
-
This post has been deleted by its author