About face
I'm wondering about the type of user that would consider relying on face recognition instead of a password. Could it be they're already totally pwned?
If you've skipped recent Windows 10 Creators Updates, here's a reason to change your mind: its facial recognition security feature, Hello, can be spoofed with a photograph. The vulnerability was announced by German pentest outfit Syss at Full Disclosure. Even if you've installed the fixed versions that shipped in October – …
If only there was some other way to log into a computer or device that only the person logging in could supply like a password or a pass code backed up by another device that only they should have access too but would be useless without the other information.
Surely there must be someone out there that could create this sort of system?
"ORLY? I've lost count of the number of times I've heard of lost keys and wallets or found the same lying around in the middle of nowhere."
Yes - we genuinely are quite good at keeping things safe.
And of course if you find a secureID token, or one of those debit card based versions...
You still don't have the 'other' factor.
2FA does nothing for the man standing behind you with a lead pipe... but it does make systems much less vulnerable to simple hacks.
"And of course if you find a secureID token, or one of those debit card based versions...
You still don't have the 'other' factor."
Unless, of course, you're actually one of the "lead pipe" types, which are actually a lot closer than you think. Plus there's the ability to pwn the machine while the second factor's already entered, again a lot more frequent than you think. Instead of targeting the second factor, simply look outside the envelope for a point where it MUST be interactive, much like you get past encryption by waiting for a point where the information MUST be decrypted.
I forgot the cybermen. They would be perfect
Cyberman 1: I have unlocked the cyber controllers phone.
Cyberman 2: Excellent
Cyberman 1: Upgrading is Compulsary
Cyberman 2: You will be upgraded
Cyber Controller: Oh Shit, Delete! IoS 11 is not compatible.
Cybermen - Good baddies, rubbish at jokes.
Simple fact of modern life, people will shout about protection of their assets til they are blue in the face, but when it comes down to it the simple act of typing a password or fishing out the challenge response device and using it is all far too onerous for them.
Face recognition, contactless pay, cheap fingerprint readers........
Use them - you deserve what you get.
"To be honest if someone has physical access to your machine then you can count it pwned anyway so I don't see the issue here."
There is a difference between 'having physical access' in the sense of time and privacy to open a machine to extract the HDD and/or modify it to inset keylogger or run some sort of DMA attack via Thunderbolt ports, etc, and 'having physical access' as in popping in to an office with a sheet of paper when you have gone to the toilet.
No, it's worse than FaceID because no matter how fantastic of a job Microsoft does, some PC manufacturer will save $0.10 by putting the cheapest piece of garbage camera in that their supplier happens to have a warehouse full of.
That's why nobody has yet managed to fool FaceID with a mere photograph, whereas as per this very article people are able to fool Windows 10 Hello with a mere photograph everywhere that a "[whatever brand] USB IR camera ... could not be used with the more secure face recognition settings".
Like the kind people leave lying around on social media.
Or, does it need a specific, near-IR photo taken with a special camera?
Because, if so, don't let someone take a face-on picture of you with a 'funny-looking' camera.
I do wonder if the proper Iris-recognition system of the Lumia 950 has been defeated because it works well enough, perhaps they should have the extra hardware on the Surface at least.
This is not face recognition. They measure features on a persons face and compare that to a previous record. It recognizes distances between points (and is probably a fuzzy match).
Find out what points of the persons face the algorithm is measuring and you don't even need a real picture to fool the system.
Plug in a usb device that claims it's a camera and start throwing patterns at the login subsystem.
Fun stuff.
Hacking by photos, masks and brothers are minor issues. Even if perfected to be fake-proof, biometrics will remain insecure due to inherent trade-off between False Acceptance and False Rejection.
Two entrances placed in parallel in case false rejection provide nice convenience to criminals. This is what we witness in so many biometrics products in cyberspace