Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- http://www.informationsecuritybuzz.com/first-let-take-selfie/comment-page-1/#comment-5053
- Oh Michael Daniel, how stupid are thee? How may I count the ways.
- This is a bad idea for several reasons:
- 1. Users post their selfies all over their social media profiles. Replay attacks become a reality.
- 2. Biometrics are permanent. Unless you have thousands of dollars to drop on plastic surgery, as soon as your selfies get leaked once, you’re compromised for life.
- 3. Authentication complexity. Properly processing a user’s credentials (password_verify() in PHP) on a website that uses HTTPS exclusively isn’t hard; integrating with a solution like OAuth2 (or SQRL, when it’s finished) is also near-trivial. This increases the attack surface and opens the door for more effective DoS attacks.
- 4. Image recognition isn’t perfect, it would be easier to spoof a 95% precise image verification than it would be to find a hash collision. Further, timing attacks would be helpful for attackers on something as large and complex as an image processing library.
- Just.
- Fucking.
- NO!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement