As the world moves away from those pesky traditional passcodes that pretty much every tech expert and IT guy will tell you don't even keep you safe, Google has filed a patent for a next-generation password replacement: sticking your tongue out at your phone, which security experts tell The Atlantic Wire might just do the trick. Forget Mission: Impossible-style retina scans or basic facial recognition (which could be replicated with a single photo, obviously), Google's biometrics filing suggests we use "at least one of a blink gesture, a wink gesture, an ocular movement, a smile gesture, a frown gesture, a tongue protrusion gesture, an open mouth gesture, an eyebrow movement, a forehead wrinkle gesture, and a nose wrinkle gesture." The idea here is that a hacker can fool a computer with a static image. But moving our faces in a very particular way is a unique marker that not even an impostor can fool. At least that's the theory.
Google already has tried something like this with its "liveness check," which asks Android phone users to wink at the camera to prove their identity. That security strategy, it turns out, is incredibly easy to bypass with some very simple photoshopping skills. "Android has experimented with facial recognition, but people found that you could easily defeat it by holding up a photograph," Andrew Jaquith, CTO at the cloud security firm SilverSky, told the Wire in a phone interview. "There are always ways to fake this. The question is whether they have been smart enough to do that."
To be fair, Google's new patent acknowledges the Photoshop issue, suggesting that it could soon ask for a combination of specific gestures, or "second sub-image," for logging in — kind of like a moving passcode. Instead of entering a sequence of specific numbers and letters, a user would have to gesture for specific password. Something like: wink, wink, tongue, eyebrow raise. That, however, defeats the purpose of the system, doesn't it? Besides lackluster security, another problem with the funny-face login system is that it requires remembering 25 different passwords for all the different websites we visit. The password-less future wasn't supposed to be like that. Having to remember specific facial recognition cues just takes all the number/letter combos in our brains and translates them to harder-to-recall sequences of funny faces. That doesn't sound any more fun. Even if it looks funny.
But, it wouldn't exactly work like that, as Kevin O'Brien an enterprise solution architect at CloudLock, another cloud-based security company, explained in an interview with the Wire: "You can do fairly sophisticated imaging at this point, where you can take gestures and combine it with other pieces of information." Essentially, you would give a phone or system your password, and then it might ask you to perform certain tasks in a given amount of time to prove that you're a real human being — and not just a carbon-copy of your likeness. The Google patent also suggests incorporating a laser beam that would use a "glint detection module" to double-check that a human and not a photo is staring at the camera.
At that point, why don't we just have full-on iris recognition? Well, it turns out, an iris is less secure than a gesture. "Irises are relatively static things — they only have a lmiited range of change, and change is a fundamental part of doing any kind of biometrics," O'Brien added. The point of the Google system — or any next-gen ID — isn't just facial recognition; the point is that a computer can tell that we are who we are... and that we're a real live human being version of ourselves. That's the future of passwords: computers knowing we're real.
This article is from the archive of our partner The Wire.