Michael Daniel is fucking stupid

1. http://www.informationsecuritybuzz.com/first-let-take-selfie/comment-page-1/#comment-5053
2.  
3. Oh Michael Daniel, how stupid are thee? How may I count the ways.
4.  
5. This is a bad idea for several reasons:
6.  
7. 1. Users post their selfies all over their social media profiles. Replay attacks become a reality.
8.  
9. 2. Biometrics are permanent. Unless you have thousands of dollars to drop on plastic surgery, as soon as your selfies get leaked once, you’re compromised for life.
10.  
11. 3. Authentication complexity. Properly processing a user’s credentials (password_verify() in PHP) on a website that uses HTTPS exclusively isn’t hard; integrating with a solution like OAuth2 (or SQRL, when it’s finished) is also near-trivial. This increases the attack surface and opens the door for more effective DoS attacks.
12.  
13. 4. Image recognition isn’t perfect, it would be easier to spoof a 95% precise image verification than it would be to find a hash collision. Further, timing attacks would be helpful for attackers on something as large and complex as an image processing library.
14.  
15. Just.
16. Fucking.
17. NO!