back to article US government's Login.gov turns frown upside down, now smiles on facial recognition

The US General Services Administration (GSA) plans to support facial recognition through its Login.gov authentication service, after declining to do so last year. "Today, GSA is announcing that it will offer new pathways to identity verification beginning next year that will align with the National Institute of Standards and …

  1. An_Old_Dog Silver badge
    Joke

    Sure, it's Secure. For Weak Values of "Secure."

    (Lalo Schifrin-written theme music plays) "Danh-danh danh-DANH-danh-danh dunh-dunh-dunh." Angela Merkel (yes, yes, now it's Olaf Scholz) emerges from a high-security biometric-ID-secured UN military facility, walks down the street, climbs into a box van, and pulls a rubber mask from their face, revealing Peter Graves. Van starts, pulls into traffic, and drives away ...

    Seriously, I've seen one military fingerprint access-control scanner fooled by a photocopy.

    (Icon for "Security is no joke, but access-equipment vendors' products treat it as if it was one.")

    1. DS999 Silver badge

      Re: Sure, it's Secure. For Weak Values of "Secure."

      If passwords were a secure solution then I'd agree biometrics was a dumb idea. But passwords have their own set of huge problems. I have no problem trusting my iPhone's security to Face ID, it is more convenient than a password and I don't have to worry about shoulder surfing, plus I can easily disable it on the fly requiring my password to login next time if I was in a situation where I was worried someone might hold the phone in front of my face to unlock it. At least unlike web passwords my phone's password isn't stored in a database vulnerable to hackers etc. and unlike my password for The Reg isn't one I have reused on dozens of places all around the web.

      I'm skeptical about the way the government seems to be doing this, since if they are supporting this for PC logins it would have to be with a webcam. That sort of simple 2D face recognition can easily be fooled by a photo, but no one is being REQUIRED to use it you can still use a password and they have another option where you video chat with a "trained" person who can say if you are who are which is easily more secure than both 2D webcam facial recognition or passwords, and if the person really is "trained" with more than a one day classroom snooze probably better than Face ID as well.

      The people who will chose the webcam facial recognition are probably the same people who are using their pet's name with "123!" added to the end of it as their password for everything from their AOL account in 1997 to their 401K stock account today, so even that weak security will be an improvement.

      1. Dan 55 Silver badge

        Re: Sure, it's Secure. For Weak Values of "Secure."

        Face ID is on device and it uses the normal authentication behind the scenes (PIN, password, token for already-registered bank card). You're pretty much guaranteed to be who you're supposed to be by having the iPhone in the first place and it just has to compare one known face.

        Allowing facial recognition on an authentication server open to the Internet with Russia and China banging on the login page is something else entirely and I look forward to the article in The Register about it a year or two later.

        1. stiine Silver badge
          Facepalm

          Re: Sure, it's Secure. For Weak Values of "Secure."

          Yep, and none of that biometric data was pilfered when the OPM was hacked, right? Right?

        2. DS999 Silver badge

          Re: Sure, it's Secure. For Weak Values of "Secure."

          I assume this government system is doing the same sort of matching - you give it your name/login and it compares your face to that one face (which we sure hope is stored as a hash rather than keeping a bunch of photos) If it relies on you simply showing your face and it compares your face with millions of other faces to identify you then it is going to be an epic disaster. But even government contractors can't be dumb enough to design something like that, can they?

          It remains to be seen how this is going to be implemented. Will it really allow a webcam on a PC, or will it work alongside a smartphone's Face ID using Passkeys? If it is the latter I don't see a problem. If it is the former while I think it is a really bad idea I don't think it is made worse by Russian hackers attacking the site. They aren't going to be trying to fake my face to login as me, they want to break into the site itself and get access whatever data the login is protecting. Not just for me, but for everyone.

          1. An_Old_Dog Silver badge

            Re: Sure, it's Secure. For Weak Values of "Secure."

            But even government contractors can't be dumb enough to design something like that, can they?

            Yes, yes they can. Government contractors have been (a) stupid enough, and/or (b) greedy enough.

          2. Dan 55 Silver badge

            Re: Sure, it's Secure. For Weak Values of "Secure."

            Login.gov works with an email address and a password. So just try the usual wretched hives of scum and villany to buy pwned data and try it out.

            Social Media is a rich source of photos, LastPass had a data breach so shared secrets can be obtained from that, SIM swapping will get you past text message verification. It might not be everything you need, but I'd wager enough to get your foot in the door.

  2. Sora2566 Bronze badge

    Oh for pity's sake... just use passkeys, and require user verification. You'll get more security with far better privacy outcomes.

    1. mmccul

      Passkeys are authentication. IAL is identity assurance. Different problem space.

      1. Anonymous Coward
        Anonymous Coward

        Not exactly

        This is more an issue of mixed policy. The identity assurance part can be provided outside the password or passkey authentication, and under the governments proposal you will be able to take care of it for the lower levels at a post office or probably places like the passport office, embassy or DMV.

        The higher level protocols want per connection authentication via something like a live video feed.

        But the other poster was largely correct that the proposed facial login scheme is a train wreck waiting to happen, and that after an account has been verified (possibly in person) that a passkey is more secure than facial recognition in blocking attackers that don't have access to the users device or account. Cracking a good passkey is hard at best, and in most cases impossible. Cracking a static face check is easy if you have seen the mark, prone to AI fakes now, skimming and MITM attacks, and many people plaster their face all over the internet.

        So I get that for the highest level of secure connections that they may enforce BOTH a password/key and active face check, but that is overkill for most of the citizen facing government sites. This has failed repeatedly already, and will continue to for the foreseeable future. People will hate it with good reason, and the money spent will be wasted.

  3. ShortStuff

    That's Just Great ... Photo Pleeez

    Now all a hacker will have to do is present a photograph to get access to people's information. How stupid can the government get?

    1. cookieMonster Silver badge
      Joke

      Re: That's Just Great ... Photo Pleeez

      How stupid can the government get?

      Extremely stupid, as is reported here almost daily

    2. mmccul

      Re: That's Just Great ... Photo Pleeez

      It's identity assurance, not authentication. It's one part of many steps. It's saying "Instead of taking your fingerprints, we're willing to take a face photo as a part of establishing your identity."

      1. Anonymous Coward
        Anonymous Coward

        Weak assurances at best

        People photos are everywhere, and leave fingerprints on anything they touch. This will all be running on potentially attacker controlled hardware to boot.

        It will annoy and fail for honest people while being straightforward if inconvenient to defeat by attackers. Their own paper highlights false positive problems, so it is already having problems stopping people that aren't even trying to trick it in some clever way.

        What definition of assurance is that? The one that's closer to overconfidence?

  4. hayzoos

    So wrong

    Biometrics can only be used as an identifier like a username, or IRL a name. NIST IAL2 was mentioned in the article, Without anything else, just having a biometric match is really only IAL0 - no confidence the identity is authentic. Even IAL1 (some confidence the identity is authentic) is a stretch and IAL2 (high confidence the identity is authentic) is way beyond what a biometric can do.

    To raise the level of confidence in the identity, authentication is required. Stronger authentication achieves higher confidence in the identity. A biometric as an authenticator of an identity is weak. A biometric can be added to other authenticators for multifactor authentication to improve authentication.

    In security circles this process is called I&A (idebtification and authentication). First an identity is presented like a name, SSN, a biometric, a username, or account number. If no further steps are taken, then you have achieved IAL0 - no confidence. If some level of authentication is performed such as presentation of a pin, or a password, or a secret handshake, or a key..., then IAL1 is achieved - some confidence. To go to IAL2, some strong authentication is required, either a proven strong single authentication factor like a hardware token or multifactor like a password and a token or a pin and an SMS delivered one-time code.

    So many get this wrong.

    1. Michael Wojcik Silver badge

      Re: So wrong

      I don't think SMS will give you IAL2; NIST dropped it as a permitted authenticator some time ago. As they should have.

      I'm not a fan of Passkeys (oh, look, a whole bunch of new failure modes, particularly for non-technical users), particularly when they're coupled to biometrics (still a terrible idea), but they'd be a hell of a lot better as an IAL2 authenticator than an SMS-transmitted OTP.1

      Personally, I favor TOTP as a 2FA mechanism, but I have the technical knowledge to know how to back up the secret (though the widespread use of accursed QR codes makes that more difficult than it should be), and the experience to know I should. Just like I use a password manager with a strong master passphrase and have that backed up as well. For non-technical users we still are not at all close to having an adequate solution to authentication.

      1Passkeys do have the considerable advantage of not transmitting the secret, but we already had a bunch of ways to do that, such as SRP and PAK and SPEKE. I designed a toy system with that property once myself using a 1WA. The main advantage of Passkeys seems to be a strong marketing push by Google and Apple.

  5. OhForF' Silver badge

    >Government agencies have the option of choosing which approved identity verification method they wish to use to authenticate users of online services.<

    Why is it not the users that have the option of choosing which government approved method they want to use?

    The answer is probably that government bodies think they represent the highest authority and users are supplictants even in the US where they have no history of representing the emperor.

    What does it take to get it into the bureaucracy's mindset that they are a service supplier for the sovereign (=the people).

    1. Ideasource Bronze badge

      In a word

      experimentation.

      Governments (both individually and as a whole) experiment constantly to see what they can and can't get away with.

      1. stiine Silver badge
        Big Brother

        This'll certaintly flummox those state legislators that blocked the previous REAL ID siphon.

  6. mmccul

    Identity Assurance is not Authenticator Assurance

    A lot of confusion exists thinking that the facial recognition is 1. sufficient, 2. part of authentication. Neither is true.

    The announcement states that facial recognition is being added to the acceptable list of biometric methods that is used to establish the identity. That's prior to issuing the authenticator to the individual. None of this has anything to do with authentication, it's all about identity proofing.

    When you actually look at the rules for IAL2 (like I've done for far too many hours at a time), you realize that the biometric factors is one of many things involved in establishing the identity. Take out facial recognition for a moment. Instead, look at the problem this way. You are doing something sensitive, so you go to an office, present your picture ID and are fingerprinted. The fingerprint collection (the most common form of biometrics used for IAL2 and IAL3) is not just "do you have a criminal record", it's part of the overall process of establishing who you are. The fingerprints (or facial recognition in this case) help as part of the verification of the evidence presented, just like when one presents an ID, there are features checked to ensure it is a valid ID (e.g. a hologram being present on many US IDs).

  7. Anonymous Coward
    Anonymous Coward

    If GSA is still partnered with CGI Federal for coding and server support, it's going to be a cluster fsck.

    I used to work for CGI Federal on the server support side, the programming side of the house really couldn't code themselves out of a paper bag. I can't tell you how many times we as server support admins had to look at the raw application/services code and just say "WTF?!?!?" And had to explain to them what was wrong and give them decent working code that wouldn't crash every couple of hours/days.

    1. mmccul

      Isn't that the case for oh so many contracts awarded to the lowest bidder, not just in federal space, but anything IT?

      (Speaking as someone who worked for many years for a contracting firm that didn't try to be the lowest bidder. Sometimes the joke was we were who you called after you fired the lowest bidder.)

  8. M.V. Lipvig Silver badge

    So, dye my hair, grow a beard, get in a fight and get a black eye/broken nose/missing teeth, ect, will this lock me out?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like