Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security

Amazon Wants To Replace Passwords With Selfies and Videos (thestack.com) 125

An anonymous reader writes: Amazon has filed a patent application for a technology which would allow consumers to authenticate transactions via selfie or video. As part of the verification process, the computer or mobile device will prompt the user to 'perform certain actions, motions or gestures, such as to smile, blink, or tilt his or her head.' Amazon claims that the introduction of facial recognition technology will make transactions more user friendly and secure than conventional identification methods, such as passwords which can be stolen and hacked.
This discussion has been archived. No new comments can be posted.

Amazon Wants To Replace Passwords With Selfies and Videos

Comments Filter:
  • by koan ( 80826 )

    As if Amazon isn't bad enough, now it's just downright creepy.

    • Re:Laugh (Score:5, Funny)

      by tiberus ( 258517 ) on Tuesday March 15, 2016 @07:55AM (#51699409)

      'perform certain actions, motions or gestures, such as to smile, blink, or tilt his or her head.'

      As if Amazon isn't bad enough, now it's just downright creepy.'

      Creepy isn't quite the word that comes to mind, more like pervy.
      Just what "certain actions, motions or gestures" we talkin' 'bout here? Just wanna know if I'm gonna have to clean up afterward...

      • My gesture to Amazon: Middle finger up.
        • "I'm sorry Mr. One. That password is already in use.

          Please choose again. Suggestion: middle finger up with the pinkie of your left hand inside your right ear."

          You just tried it to see if your pinkie would reach, didn't you?

      • by sootman ( 158191 )

        Well-endowed girls everywhere will be complaining, "Why does Amazon always want me to jump up and down?!?"

    • Amazon says, "give us a twirl, love."

  • by YukariHirai ( 2674609 ) on Tuesday March 15, 2016 @07:57AM (#51699423)

    I'm not too optimistic about systems like this. Sure, passwords can be stolen, but if you're careful they can be kept secret, and they can be changed if need be. But my face? If someone gets their hands on a suitable picture or video of me (really not hard to get a photo or video of the average person) and can use that, I'm shit outta luck. And on the other hand, I'm also concerned that an automated system could decide that I don't look like me; the state of my beard at the time or whatever throwing it off.

    So in short, interesting idea, but probably not all that practical.

    • by SIGBUS ( 8236 )

      And then there's fingerprints. Nothing like a "password" that gets printed onto almost anything you touch!

    • by Max_W ( 812974 ) on Tuesday March 15, 2016 @08:59AM (#51699763)

      ...But my face? If someone gets their hands on a suitable picture or video of me (really not hard to get a photo or video of the average person) and can use that, I'm shit outta luck. ...

      A Niqb could be a solution, at least for women: https://en.wikipedia.org/wiki/... [wikipedia.org]

    • by Jason Levine ( 196982 ) on Tuesday March 15, 2016 @09:00AM (#51699771) Homepage

      If someone gets their hands on a suitable picture or video of me (really not hard to get a photo or video of the average person) and can use that, I'm shit outta luck.

      Exactly this. We keep telling everyone not to share their passwords. What's one of the big things people love sharing? Photos of themselves! When you make someone's face their password, you've just turned every selfie they've ever sent into a shared password. How long would it take to compile those "password shares" into something that could fool Amazon's system?

      I recently tried an app MSQRD which maps someone else's face onto yours. It works surprisingly well: changing your face into a gorilla or Tony Stark or Barack Obama. You can move your mouth, tilt your head, etc and it keeps working. Now imagine if someone were to make something like that but using all those selfies that someone posted and using the result to fool Amazon's app into thinking that's what you really looked like.

      Passwords have their flaws, but those can be mitigated by additional layers of security (e.g. two factor authentication). Facial recognition is one of those things that sounds good in theory, but falls apart on closer observation.

      • Daybreak (formerly SOE) had technology in EQ2 and EQ:Next where it would map your facial expressions onto your character's. Called SOEMote, it fell right into the bottom of the uncanny valley, but was an interesting thing to play with.

    • Re: (Score:3, Insightful)

      by I4ko ( 695382 )
      How about the system recognizes the blood on my face and the knife on my throat or the gun next to my head. Using faces for passwords is as ridiculous as using fingerprints for passwords. Biometrics should only be used for usernames, passwords should be something you know, not something that you are.
      • Using faces for passwords is as ridiculous as using fingerprints for passwords. Biometrics should only be used for usernames, passwords should be something you know, not something that you are.

        This is the most sense I've ever heard talked regarding biometrics.

    • While I see a host of problems, this isn't a face. This is a video stream of your live face combined with an arbitrary suggested action.

      • And it is not impossible to map an image of someone over a CG model and have it move whatever way you want. It probably wouldn't convince a human that it's the real person, but it wouldn't need to.
  • Is facial recognition good enough to detect differences between identical twins 100% of the time? Or are twins the next group to be left out in the cold by a technological advancement.
    • My own sister used to have trouble detecting difference between my brother and I and we are not twins. Not so much now that we have very different hair and facial hair styles but friends we haven't seen in a long time sometimes still mistake us for each other.

      • My GF's sister could probably pass for her if she let her hair grow and colored it. As it is, when she was around people who know my GF, everyone knew she was R's sister before anyone said anything.

        • Back in the 90s and even as recent as 2005 my brother and I had the the same hair style and the same style clothes and I would frequently have his friends or co-workers walk up and just start talking. I would and say something like you must know my brother and they would look at me funny and then notice the more subtle stuff like a wedding ring. That didn't actually convince one girl she thought he was a lying cheating bastard until I pointed out that I also have a tattoo and he doesn't.

  • by rmdingler ( 1955220 ) on Tuesday March 15, 2016 @07:59AM (#51699441) Journal
    No. No. Hell no, Amazon.

    Allegedly for help with the troublesome task of entering passwords from a mobile device, this co-opting of the device's camera function is a bit too Orwellian.

    And if I get to where I can't use a mobile phone keyboard, I will use a tablet or just wait till I get my ass home.

    • Comment removed based on user account deletion
      • What webmasters should do is quit looking at their own website only and implement SSO. OAuth2 or whatever. Some sites already have it, and it works.

    • by DogDude ( 805747 )
      "Multiyear Prime subscriber here"

      "a bit too Orwellian"

      I don't think that you know what "Orwellian" means...
    • by pla ( 258480 )
      Allegedly for help with the troublesome task of entering passwords from a mobile device, this co-opting of the device's camera function is a bit too Orwellian.

      Even given how annoying most phones make it to enter non-alphanumeric characters, I can't help but think that I can still enter 8-12 random characters faster than finding a well-lit spot and performing a variety of selfie poses on command ("Sit... Beg... Play dead... Fat-girl pose... Roll over... Good human, here's your account!").

      Dear Amazon - I
  • by fibonacci8 ( 260615 ) on Tuesday March 15, 2016 @08:03AM (#51699451)
    Great, catfishing is already popular, so someone had to come up with a form of security easily thwarted by it?
  • Wait:

    "The entry of these passwords on portable devices is not user friendly in many cases, as the small touchscreen or keyboard elements can be difficult to accurately select, "

    You mean to say things are not easy to do on mobile device??? About fucking time someone said this. OF COURSE IT'S NOT EASIER...it never was - never stopped you from pushing people to do all things mobile.

    Again, it's about the mobile device not the computer. Never had a fucking problem ordering via a computer. Fuck Off
  • If you want to buy something put a shoe on your head!
    • "If you want to buy something put a shoe on your head!"

      Hold it... Hold it... Now, bark like a dog!

      This could be fun!

  • Are they crazy? Put user biometric data into companies hands (so it can be stolen like everything else) - and of course you can't change it once its been compromised - which will happen, then you're stuck (not the company that lost it of course...they'll give you a year of credit monitoring). As others have pointed out giving companies access to your biometric data, camera and microphone on your access device is wrong on a bunch of other levels (privacy, govt access via that company etc.). No fffing way.
  • Ah the joys of 'security'.

    I'm waiting until we finally get the 'If a 4 digit pin is secure enough for your bank, why not for us too?'. We don't need this kind of thing and we are going about it all wrong. Security shouldn't be easy, it should be hidden. Hell, if Amazon are good enough to predict what I'm going to buy, surely they know something is wrong them moment I start buying loads of something unexpected, and then try and ship it to somewhere I don't even live?

    Nothing is wrong with a good password, and

    • I believe they already do something like this. If you are making a purchase that Amazon deems suspect (mainly, in my experience, due to shipping orders to someplace new), you need to enter in your full credit card information again and not just use the stored card number. It can be annoying sometimes when it happens, but I still like the feature. I'd rather be annoyed every so often than log on one day to find out that "I" maxed out my credit card buying electronics and having them sent to some address I

      • I go back and delete my method of payment from accounts like that since I don't order on line constantly, new egg maybe once a year, amazon maybe 3 or 4 times, walmart a couple times. Get into my the account for my gas, water, trash, power bill on the other hand....

      • Allowing a company to store your credit card details is already a very bad idea. It's convenient though. But security and convenience do not coexist peacefully.

  • Biometric data can also be stolen or hacked. The difference is that I can change my password in a matter of seconds. My biometric data, if stolen, is compromised for my entire life.

    That being said, I don't mind the finger print scanner on the iPhone and Nexus phones, because they're kept entirely local and the whole system locks down if the biometric data could be compromised. But what Amazon is proposing is that I send my biometric data across https every single time I want to log in to watch some Prime
  • Security (Score:5, Insightful)

    by JasterBobaMereel ( 1102861 ) on Tuesday March 15, 2016 @08:33AM (#51699623)

    The 3 factors are
    Something you know : Password
    Something you have : Key
    Something you are : Biometrics

    also known as
    Something you forgot
    Something you lost
    Something you cease to be ...

  • "Amazon is pleased to announce the latest in cutting-edge security: Dick Pic Authentication/Tit Pic Authentication (DPA/TPA). To access your account, simply snap a quick shot of your junk/tits!"
  • by evolutionary ( 933064 ) on Tuesday March 15, 2016 @08:41AM (#51699665)
    People are funny. They sell less secure technologies as more secure. Fingerprint passwords for example: Just grab a coffee mug, or better yet, a paper cup from a user who goes to Starbucks/Second Cup and presto! I have your password. Now we want to use photos? Graphic images or videos that are possibly published on Facebook (or Google+or some other social media). That is even easier to copy. We've all see that voice passwords can be duplicated, especially with snooping devices over cell phones (which we know the police use now). At least with passwords, they are easy to change and require an expert sniffer or getting into someone's head. Not perfect, and yes they are broken, but it take in my observation more work then getting a fingerprint, or better yet a selfie that has been transmitted to friends, family and every server/transmissions repeater point/server farm in between. You can argue passwords travel between servers too, but people send to send their favorite selfie to everyone. In other words, people are far more careless with selfies than passwords (Unless you are one of those in the dark ages still using relative/loved one's name with no numbers). Oh, it would also require us to remove the black tape many of us put over our phones/tablets/laptops to prevent hackers/backdoor users (aka government) from using our phones to invade our privacy. Even more insecurity.
  • ... via facial recognition from google image search.
    Assuming the server side biometric data doesn't ever get compromised, how the fuck are they going to detect on the - very hackable - client device that the photo or video is live and not downloaded off facebook or youtube?

    Seriously, who is the idiot who approved spending money on this patent? Any Amazon shareholder cares to sue him for wasting the company's money?

  • Similar Software was utilized as a Windows 98 add-on. To log in, you had to sit in front of the computer and facial recognition software acted as the password manager.

    On a 180 MHz overclocked Compaq desktop, just to let you know how old this 'selfie for a password' idea truly is.

  • The more anonymous the transaction, the better. The last thing anyone needs is to put more of ourselves "out there" ready for hackers or NSA terrorists to take advantage of.
  • What about my evil twin?
    Will shaving off the goatee be enough?

  • It's a good thing that computers can't make lifelike images and that no pictures of people are on the Internet. Oh, wait, those assumptions might not be true. Look, all authentication systems have weaknesses, but this one seems designed to be trivial to circumvent. Ugh.
  • This has two problems:

    1) At some point the face is reduced to a set of numbers. Those numbers can be stolen and reproduced just the same as a password.
    2) The other way to hack this is at gunpoint.

  • If people become used to this, the candid camera sketches would be unending.

    "For verification of identity, please now introduce your pencil in your left nostril".

  • Flawed (Score:4, Insightful)

    by wkwilley2 ( 4278669 ) on Tuesday March 15, 2016 @09:36AM (#51700047)

    Face recognition is all fine and well till you grow a beard, or have a stroke.

  • I'm all for better ways to authenticate. Fingerprint, selfies, gestures, code generators...

    But why must it always be framed as getting rid of passwords. Why not in addition to? As the old saying goes, good authentication involves 3 things.

    Something you know (password)
    Something you have (token generator)
    Something you are (fingerprint, selfie)

    They can play with these in terms of convenience and security, but I hope we never get rid of passwords. Maybe Amazon can use selfies for low value transactions, and the

  • ... why the password prompt was changed to "Tits or GTFO!"

  • Amazon: Your password for today, is a picture of your tits.

  • Not all devices have cameras

  • 'perform certain actions, motions or gestures, such as to smile, blink, or tilt his or her head.'

    No way a video of that could ever be faked!

    It would be totally impossible to capture or intercept the video of a legit transaction and then play it back, that could just never, ever happen!

    And with the advanced video tools on the market, it would also be utterly impossible to take some innocuous pre-existing video and modify it. Anyone who's ever uploaded more than a few seconds of video of themselves to Youtube doing anything is now at risk of being spoofed.

    Seriously, it's like Amazon is searching for nove

  • This sounds exactly what 4chan users on /b/ have been using for identifying if OP is really delivering.

    "Shoe on head."
    "Sharpie in pooper."

    --
    BMO

  • As someone with Parkinsons that already has enough problems using modern phones since they all want to do guestures and hover crap, and it has to be turned off per-app, can't be globally (at least, on android), how about a big fark you. I don't need someone telling me my smile isn't an adequate smile at 2am, just because I can't really control my face.
  • I had a similar idea for but for Git. I asked one of the SW guys to write a Microsoft Kinect interface for Git. I'd use a middle finger going side to side to commit and thrusting the middle finger up and down would be a push. Now, two double fingers moving rapidly but in any direction would be a merge (because that's what everyone does when that tool merges any file). A shaking fist would be a pull (normally after a merge following the deletion of the merged file).
  • I am not going to use biometrics to authenticate shit

    You can only get your biometrics stolen ONCE, after that big effing luck changing your eye signature or your fingerprints

    You have littered the whole internet with your facebook and instagram pictures in a while variety of pictures

    Media ppl specially, there are thousands of hours of high resolution video of your face in a wide variety of poses, you are soooooooo screwed

    Lazy ppl unwilling to remember passwords are going to be the end of us

    Just send them rfi

  • 1 get photos of person. 2 use photos to create a skin for a Hi rez CG animation program 3.use CG animation program to trick authentication software. 4.Profit!
  • Getting a BOT to do things upon command is easy. There is going to be a limited number of things that can/will be asked for, these can be pre filmed/rendered in advance. If they do come up with a new required antic - then you don't get to login; is that a problem? Breaking 10% of accounts mechanically still gets you into lots of accounts.

    10 years ago The Subservient Chicken [subservientchicken.com] was doing this. It was bought by Burger King .... now all that remains is an inane video.

  • It might require a little bit of sophistication to create the software that would make an image respond to the requested gesture, but this would pave the way for credentials to be stolen (permanently) by just taking a picture of a person.

    Somehow I don't think this is a good idea.

"Facts are stupid things." -- President Ronald Reagan (a blooper from his speeach at the '88 GOP convention)

Working...