Selfies – those digital expressions of self-infatuation and keepers of memories – are slowly emerging as a potential replacement for passwords. But cybersecurity experts caution that they can only be an effective deterrent as part of a multi-layered security defense.
Some companies are already experimenting with selfies to authenticate credit card users for financial transactions, log-ins, and other online access. But these are not your average selfies.
“They ask you to blink, or ask you to maybe smile or to do something else to make it a live image,” he said. “And they do have some depth as well from the actual picture so they could differentiate it’s not a flat photo.”
Both Schober and Kaspersky Lab’s principal security researcher, Kurt Baumgartner, are impressed by the technology.
Baumgartner welcomes the use of biometrics, facial recognition and image-based data points to replace often-violated passwords, but cautioned in an email that companies using biometric schemes should ensure that their systems are properly implemented, configured, and maintained.
There are also other challenges that need to be factored in, said Schober, such as quality degradation when a selfie is taken at night or in adverse weather conditions, for example.
When a picture is taken, companies using the technology transmit the selfie data from the user’s device and save the digital file on their network. That means the selfie “could be replicated or possibly used by a bad guy,” said Schober.
“It’s your selfie,” he said. “They’re keeping it in digital format, broken down on their servers, on their network. I would be concerned. I wouldn’t put my information out there using a selfie myself.”
Keeping track of dozens of complicated passwords can be a real pain. But a stolen password can be changed. A stolen selfie or biometric data in general cannot be altered.
If your facial recognition or selfie – if that’s compromised, if your fingerprint is compromised, you can’t really change it. It’s stolen forever.
- Protect accounts with multi-factor authentication: a text message to a smartphone or a swipe of a finger in addition to a password
- Don’t have multi-factor authentication? Change, improve passwords
- Update all software and apps. Clean and keep all devices clean
- Monitor activity on financial and credit cards accounts. Implement a fraud alert if need be
- Watch out for fake emails. Delete suspicious emails or posts
Michael Kaiser, Executive Director, the National Cyber Security Alliance
“The implications are a lot worse than using a traditional password, be it long and strong of course,” said Schober. “… Security is often achieved when you have layers of security. And having biometrics as an added layer I think is very valuable. But to replace the password, the jury is still out, in my opinion.”
Not easy to fake a selfie
So how do you fool a selfie? Schober decided to take the scenario to the extreme.
“Could somebody … make a Hollywood mask that looks exactly the same as a person with the ability to make the eyes blink?” he asked. “Sure they could – or make a smile or … one picture beforehand and then another picture of the eyes blinking and somehow manipulate it. Could they? Yeah, probably.”
Hackers are lazy, said Schober, and typically prefer the path of least resistance to avoid being caught. Hacking a selfie backed up by additional layers of security means they have to work a lot harder to get the information they’re after.
“It’s going to take somebody a number of hours to create a true image that would be able to fool something like that with the software and the algorithms because they’re pretty advanced,” said Schober. “So you’d need to look very carefully at somebody’s selfie if you could get a picture of them … then you can probably replicate it quickly.”
Stronger authentication methods, such as adding a second step – a text message or a swipe of the finger in conjunction with a password – make it harder for bad guys to gain access to online accounts, said Michael Kaiser, Executive Director of the National Cyber Security Alliance, in an email.
“Multi-factor authentication can provide an additional layer of protection and make it significantly harder for email, financial services, and social networks accounts to be accessed by others,” he said.
“Two-factor authentication is very, very effective,” added Schober. “This would be a great a second step. Maybe it’s your actual password, maybe it’s your biometric fingerprint, maybe it’s your iris. … Combinations of things work really well. And we’d still have a level of convenience.”
“Just don’t upload ‘blink’ selfies to Facebook from now on,” added Baumgartner.