Facebook rejects biometrics to embrace QR codes
Facebook engineer Gregg Stefancik has stated that he would like his company to eventually move away from using passwords, but vehemently opposes the use of biometrics.
At a recent media appearance in Australia, Facebook’s top security architect said that he would ultimately prefer the use of hardware tokens to log users into Facebook. In the interim, the popular social network is encouraging its one billion users to opt for two-factor authentication to sign-in.
Stefancik told ComputerWorld: “If we were in a world where every user had reliable two-factor authentication, then we could maybe get to a point where we are not worrying about passwords. My vision for security in Facebook over the next few years is that I’d like us to move away from the dependency on passwords altogether.”
He however does not view biometrics as the appropriate authentication alternative. In fact, Stefancik revealed to The Australian that he emphatically “hates” biometrics: “The reason I hate it is because I can’t change them. One of the things you look for in credentials is that they’re revocable.”
Stefancik told the Australian press that he believes there is a tremendous amount of research that demonstrates biometrics can be easily “spoofed” or faked. He states that examples abound on the Internet on how to make false fingerprints or forge iris images. As a consequence, Stefancik is leading Facebook’s efforts to develop both hardware tokens and software-based authentication for the social network. Solutions being examined include software code generation, including quick response (QR) codes.
Code generation is an additional security feature that requests users to enter a unique security code each time they log into their Facebook account from a new PC or device. QR codes are visual manifestations of such authentication codes. Stefancik’s current two-factor authentication solution is therefore a fancy name for a “two-step” solution. And while QR codes can continually be regenerated, they can also be easily replicated, with only the aid of a scanner or a photocopier. QR codes are also reminiscent of bulky old-tech, which is generated on outdated desktop devices.
Biometrics, of course, makes it possible to depend on a one step solution that is absolutely unique to an individual, and which is more convenient when using a mobile device. Biometrics are defined as measurable physical and behavioral characteristics that enable the establishment and verification of an individual’s identity. And biometric patterns not only include iris scans and fingerprints, but also more difficult modalities to “spoof” including facial recognition or even voice recognition.
Biometrics as well can be leveraged within a two-factor authentication solution, ensuring that alphanumeric passwords or generated codes enter the authentication mix. A combination of voice recognition based on a phrase, along with a generated code is an extremely strong authentication solution. Phrase-based voice recognition, of course, could be revoked and re-issued at anytime, utilizing another unique phrase. And other biometric modalities conceivably can be tweaked by way of nuanced adjustments to algorithm, code or even visual representation in order to make them constantly unique and revocable. As an example, facial recognition on a mobile device might be made more complex by providing a unique expression during the image capture authentication sequence. Providing an image of a blinking eye or frowning face could conceivably be used rather than just posing for a generic headshot image in order to affirm identity. Because facial expressions can exhibit myriad variations, such a biometric modality is flexible enough to provide a range of revocable authentication options. This reality should be considered before biometrics are dismissed out-of-hand as viable identification options.
The other reality that should be considered is that venerable tech firms have gone on record to call biometrics the authentication method of the future. Previously, BiometricUpdate.com reported that IBM predicts that biometrics will eventually be integrated with a wider number of commonplace technologies available in today’s consumer electronics to enhance security.
David Nahamoo, IBM’s chief technology officer, has previously stated that he expects biometrics would replace passwords by 2015. He said: “We can take advantage of the advanced technology being used in the smart devices, such as microphones, touch screens and high definition cameras to fully employ biometric security options. While there is already some adoption of facial and voice recognition, combining these and other biometric data points in the near future can eliminate the hassle of memorizing, storing and securing account IDs and passwords and at the same time give users a greater security confidence.”
Most other tech firms agree with this sentiment and we can only expect more not less adoption of biometrics as a mainstream authentication solution.