FB pixel

Facebook rejects biometrics to embrace QR codes

 

Facebook engineer Gregg Stefancik has stated that he would like his company to eventually move away from using passwords, but vehemently opposes the use of biometrics.

At a recent media appearance in Australia, Facebook’s top security architect said that he would ultimately prefer the use of hardware tokens to log users into Facebook. In the interim, the popular social network is encouraging its one billion users to opt for two-factor authentication to sign-in.

Stefancik told ComputerWorld: “If we were in a world where every user had reliable two-factor authentication, then we could maybe get to a point where we are not worrying about passwords. My vision for security in Facebook over the next few years is that I’d like us to move away from the dependency on passwords altogether.”

He however does not view biometrics as the appropriate authentication alternative. In fact, Stefancik revealed to The Australian that he emphatically “hates” biometrics: “The reason I hate it is because I can’t change them. One of the things you look for in credentials is that they’re revocable.”

Stefancik told the Australian press that he believes there is a tremendous amount of research that demonstrates biometrics can be easily “spoofed” or faked. He states that examples abound on the Internet on how to make false fingerprints or forge iris images. As a consequence, Stefancik is leading Facebook’s efforts to develop both hardware tokens and software-based authentication for the social network. Solutions being examined include software code generation, including quick response (QR) codes.

Code generation is an additional ­security feature that requests users to enter a unique security code each time they log into their Facebook ­account from a new PC or device. QR codes are visual manifestations of such authentication codes. Stefancik’s current two-factor authentication solution is therefore a fancy name for a “two-step” solution. And while QR codes can continually be regenerated, they can also be easily replicated, with only the aid of a scanner or a photocopier. QR codes are also reminiscent of bulky old-tech, which is generated on outdated desktop devices.

Biometrics, of course, makes it possible to depend on a one step solution that is absolutely unique to an individual, and which is more convenient when using a mobile device. Biometrics are defined as measurable physical and behavioral characteristics that enable the establishment and verification of an individual’s identity. And biometric patterns not only include iris scans and fingerprints, but also more difficult modalities to “spoof” including facial recognition or even voice recognition.

Biometrics as well can be leveraged within a two-factor authentication solution, ensuring that alphanumeric passwords or generated codes enter the authentication mix. A combination of voice recognition based on a phrase, along with a generated code is an extremely strong authentication solution. Phrase-based voice recognition, of course, could be revoked and re-issued at anytime, utilizing another unique phrase. And other biometric modalities conceivably can be tweaked by way of nuanced adjustments to algorithm, code or even visual representation in order to make them constantly unique and revocable. As an example, facial recognition on a mobile device might be made more complex by providing a unique expression during the image capture authentication sequence. Providing an image of a blinking eye or frowning face could conceivably be used rather than just posing for a generic headshot image in order to affirm identity. Because facial expressions can exhibit myriad variations, such a biometric modality is flexible enough to provide a range of revocable authentication options. This reality should be considered before biometrics are dismissed out-of-hand as viable identification options.

The other reality that should be considered is that venerable tech firms have gone on record to call biometrics the authentication method of the future. Previously, BiometricUpdate.com reported that IBM predicts that biometrics will eventually be integrated with a wider number of commonplace technologies available in today’s consumer electronics to enhance security.

David Nahamoo, IBM’s chief technology officer, has previously stated that he expects biometrics would replace passwords by 2015. He said: “We can take advantage of the advanced technology being used in the smart devices, such as microphones, touch screens and high definition cameras to fully employ biometric security options. While there is already some adoption of facial and voice recognition, combining these and other biometric data points in the near future can eliminate the hassle of memorizing, storing and securing account IDs and passwords and at the same time give users a greater security confidence.”

Most other tech firms agree with this sentiment and we can only expect more not less adoption of biometrics as a mainstream authentication solution.

Article Topics

 |   |   | 

Latest Biometrics News

 

G7 digital identity lingo aligned, technical standards not so much

An attempt to match the digital identity systems of some of the world’s richest countries against each other shows a…

 

Report: Synthetic identity fraud is growing

A new U.S. Government Accountability Office (GAO) report on its recent audit of the US Social Security Administration’s (SSA) Electronic…

 

Biometric sensors for road safety launched by Infineon, Rheinmetall Dermalog

Infineon Technologies and Rheinmetall Dermalog Sensortec have each introduced biometric identification and authentication tools, one based on fingerprints and other…

 

New tools, Authenticate presentations coax hesitant businesses to adopt passkeys

The FIDO Alliance has launched a pair of tools at its Authenticate 2024 event online and in Carlsbad, California, Passkey…

 

How to get passkeys working for a billion Microsoft users and beyond

The FIDO Alliance has kicked off the Authenticate 2024 conference with a campaign urging people to “free yourself with passkeys,”…

 

French regulator releases technical reference on age verification for porn

France’s Regulatory Authority for Audiovisual and Digital Communication, Arcom, has published its Technical Reference on Age Verification for the Protection…

Comments

24 Replies to “Facebook rejects biometrics to embrace QR codes”

Leave a Reply to rawlsonking2Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events