In a recent interview1, Cybersecurity Czar Michael Daniel was asked what he thinks would replace "the password". His answer was biometrics, with a specific example of selfies. WAIT WHAT?
Let's get this straight. The President's advisor on all matters related to cybersecurity thinks that it's a good idea for users to authenticate to social media accounts, where they will inevitably post selfies for public consumption, by offering a selfie. Yeah, that's obviously going to be an improvement over passwords.
In Michael Daniel's world, this is all you need to hack his Facebook account.
In case it's not immediately obvious, here is a brief list of all the things wrong with his idea:
- Most users post their selfies all over their social media profiles. They're ripe for the taking.
- Your face is publicly accessible. Unless you live under a rock, the cost to steal a photo of someone's face is practically $0.00.
- Biometrics are permanent. Unless you have thousands of dollars to drop on plastic surgery, as soon as your selfies get leaked once, you're compromised for life.
- Applications that allow selfie-based authentication will become larger, this exposing a much larger attack surface and increasing the odds of implementation errors.
- The performance drain of performing photo processing every time a user attempts to authenticate will expose more opportunities for denial of service attacks.
- Image recognition isn't perfect; getting a 99% match on the expected visual input will be cheaper for attackers to brute force than finding a bcrypt hash collision with a cost of 10.
- Other side-channels (timing attacks, etc) will inevitably be discovered that make it easier to bypass such an authentication mechanism.
Why does this matter? If the only damning evidence was a blog post on Infosec Buzz2 trolling an obviously flawed idea from some unimportant staff member, I might have just laughed and moved on. This matters for one very simple reason.
Holding the title of "White House Cybersecurity Coordinator" means your shitty ideas are fed right to the President to make even shittier decisions.
Further, Michael Daniel has a history3,4 of flaunting is lack of technical expertise. I concede that succeeding as a Presidential advisor on cybersecurity matters is possible without being an expert in IT, but only if you're not an incompetent moron regurgitating whatever fancy, costly diarrhea that security vendors happen to launch in your direction. And thus far, I have yet to hear a positive opinion about biometrics from any industry experts, anywhere.
Thus, as an information security hobbyist, it is my expert opinion that Michael Daniel is at best naive and at worst a charlatan.
References and Further Reading
- Michael Daniel's Full Christian Science Monitor Interview
- But First, Let Me Take A Selfie
- For White House Cyber Czar, Being Called a 'Total n00b' Just Comes with the Territory
- Does the White House’s cybersecurity czar need to be a coder? He says no.
- Can Michael Daniel make a difference?
- Michael Daniel's White House Profile
- Michael Daniel's Path to the White House