Are you comfortable taking & uploading a picture of yourself on a webpage for authentication?
Taus Noor
13 replies
If you had to take a picture of yourself with your webcam/front facing camera when trying to log into a service to authenticate yourself (i.e. face ID using a webcam), would you be comfortable with that? Assuming the service stores a fingerprint of your face (not the image itself) which it CAN'T use to actually generate the original picture again and has policies in place to never share any of that data with anyone (or monetize it in any way). Would love to hear your thoughts!
Replies
Tarek Dajani@tdajani
Usually I won't be comfortable, although, sometimes I do it for better security for my profile if I am using a product that I really like / need.
Share
Considering the fact the service can't regenerate the image and this will make the sign in more secure, Yes I would be comfortable.
Nope. Data privacy and security are never absolute, so storing that fingerprint, even if it can't generate the "original" picture again, still carries a huge risk.
Plus, I don't see how someone couldn't leverage the unique face print in order to generate the original picture again (or at least something extremely close to it).
People keep pushing this notion of trading convenience for security, but it doesn't always work out. And it often isn't really more "convenient" as it's made out to be. It's more of the *illusion* of convenience, traded for privacy.
Bio authentication itself carries a few ethical issues because it's so difficult to safeguard and understand what's going on with that data and information.
@hiramfromthechi Definitely understand what you mean. Most biometric auth on devices today (e.g. Apple Face ID) stores the biometric data purely on the device and runs comparisons on the device too -- so the biometric info itself never leaves the device (would definitely suggest looking into the FIDO Alliance).
As for how a unique face print could be generated that can't be reverse engineered -- it's sort of like hashing (like you can generate the hash of a password -- which you cant generally use to get back the original password string). The same can be done with faces using a neural network trained to differentiate between faces. It generates an embedding vector whose distance from other embedding vectors tells you whether they're of the same person or not -- but can't actually be used to get back the original face/image -- unless you can brute force using generated images, which is even more difficult than brute forcing text strings).
I wouldn't be comfortable for two reasons:
> which it CAN'T use to actually generate the original picture again and has policies in place to never share any of that data with anyone (or monetize it in any way)
The intention is definitely good, but how can the user be certain of both claims?
Additionally, I'd be very concerned about identity theft. Stealing someone's identity becomes a matter of getting a photo of them. How do you counter this attack?
The problem is that there are companies creating crawlers to harvest real people's pictures from all over the web, and then access to those huge databases are provided to state authorities - police, investigators, intelligence, etc. Therefore, people are less and less comfortable to upload their real full-face pictures anywhere on the web. I am also very uncomfortable to upload the picture of my face.
Depending on the service I am using, my preference will change. If it is my bank or university, then sure I will if it brings more convenience. If it is meditation app or online forum, I wouldn't be comfortable sharing my biometric identification.
Similarly to many comments, picture authentication doesn't do it for me because it tends to be fairly easy to find a miraid of pictures of just about anyone. It's then a matter of using some software to create a fresh picture for the authentication.
IMHO it doesn't matter if "it CAN'T use [the fingerprint] to actually generate the original picture again" - you have the fingerprint, that's tantamount to the picture, but with more power. Saying that you only store the fingerprint, is like saying you only keep the the data necessary to enter ones online bank account, but you don't store the card number.
I wouldn't. And thinking of a world where 99% of the people aren't high-tech accustomed, I think there is a lot of fear and unclarity around data security and giving up personal details, which actually gets people to be a lot more paranoid when asked directly to do so, rather than when our data is subliminally processed. So I think it would be a big question mark for a lot of people.
Depends on the service I'm using. If it's for some admin site(bank, educational, employer), I'd be comfortable. Other than these, it's hard to trust services like these nowadays, to be honest.
If they decide to store it locally like only on my connected devices, I think I'd go for it. (As you mentioned in one of your replies) But, for most of the people out there, it's still a risky business.
Just google yourself and you'll be surprised how many of your photos show up. There's no way I'd be comfortable about it. Hell, if I could, I'd go back in time and never upload a clear photo under my name.
Depends on how one asks the user and what guarantees one provides. I'd default to no due to natural skepticism.
Hi Taus,
I don't think taking a picture and uploading that for authentication is something I would be very comfortable in.
With authentication, I prefer going passwordless because remembering passwords is quite a task for me :)