Skip to content
Naked Security Naked Security

Amazon wants you to pay by face

THAT'LL get us to stop hunching over our phones to hide our passwords, by gum. Instead, we'll just have to contort our faces.

How many times have you cringed in shame because you had to turn away from friends or co-workers to keep them from spying as you enter your password?

What? Never?

No! Wrong answer.

Amazon already knows how we hide in a closet to keep our authentication private, particularly with mobile devices, their itsy bitsy screens or keyboards, and our fat fingers.

There’s got to be a better way, Amazon says.

So it’s filed a patent for payment-via-facial-contortion, also known as selfies. [Shouldn’t that be ‘gurning’?Ed.]

From the patent application it filed in October and published last Thursday:

“While many conventional approaches rely on password entry for user authentication, these passwords can be stolen or discovered by other persons who can impersonate the user for any of a variety of tasks.

“Further, [they] can require the user to turn away from friends or co-workers when entering a password, which can be awkward or embarrassing in many situations.”

The situation has given rise to risky security on mobile gadgets, Amazon says.

For example, sometimes we store our passwords on devices, leaving our phones and tablets easily hijacked by anybody who picks them up.

To avoid that, some users use stupid-short passwords that are easier for our bovine hooves to stab in.

Those are equally ungood, Amazon says: “[Short and simple] passwords can be easily hacked by an unscrupulous user or application.”

So the company has filed a patent to allow shoppers to confirm purchases by taking a selfie, be it by photo or video.

The technology would enable users to authenticate payments using a photo or video without necessarily requiring passwords, the patent says:

The user is identified using image information which is processed utilizing facial recognition. The device verifies that the image information corresponds to a living human using one or more human-verification processes. The device prompts the user to perform an action to confirm the transaction, and causes the transaction to be performed after verifying performance of the action by the identified user.

Verifying human-ness is a definite must, given that facial recognition alone won’t cut it. It’s too easy to spoof by holding up a 2D picture to a camera.

Google’s been there.

In June 2013, it too filed a patent for a way to let users unlock their phones by making funny faces: the patent covered a way to match up “facial landmarks” between two facial images, as well as performing a “predetermined facial gesture” to get there, like sticking out your tongue or wiggling your eyebrows.

It was just one of a running series of Google’s attempts to remedy the Face Unlock feature introduced in the Ice Cream Sandwich version of Android: a feature that was tricked by holding up a photo to the phone.

Google responded by introducing a technique called “Liveness Check” that required users to blink to prove they were alive and not just a photo.

Nice try. Researchers using the most basic of photo editing tools managed to fool Liveness Check with just a few minutes of editing, animating photos to make them look like subjects were fluttering their eyelashes.

Google hoped that the funny-face technology it patented three years ago would be harder to crack, since it could ask for any of a number of gestures, forcing an intruder to do quite a lot of grimacing or photo-editing in order to illicitly use another’s Android phone.

Judging by its patent, it looks like Amazon’s planning to use head-tracking technologies, facial movements, infrared image information, thermal imaging data, or a combination of all these approaches to establish that we’re as alive as we claim to be:

A computing device can capture video information of the user over a period of time to determine whether the user performs an action indicative of a physical person, such as by blinking or making another such motion. In some embodiments, the device can prompt the user to perform certain actions, motions, or gestures, such as to smile, blink, or tilt his or her head.

Analyzing all that video with facial detection gets very resource-intensive.

Amazon’s thinking of cutting through the number crunching with a pattern-matching algorithm that could match the shape of a human head with a fair degree of certainty.

Once it hits on the known contour of a human head, Amazon would have at least one user authentication process in the bag, it says.



Let’s hope that selfie authentication fares better than its woebegone biometric brethren, the fingerprint.

Take Apple’s Touch ID. As of this time last year, RBS and NatWest hooked up their online banking apps so customers could use fingerprints to do their online banking: just two of a growing list of third-party apps using Touch ID for authentication.

You can see the appeal: a finger swipe combines convenience—no more hunching over to obscure your password stabbing!—with the security of a unique identifier: i.e., your fingerprint.

Unfortunately, you can’t change your fingerprint unless you employ pain, acid and/or James Bond techniques, so if it’s compromised, well, ouch.

And compromised it has been.

Not long after Apple unveiled the iPhone 5s and biometric locking with Touch ID, hackers at Chaos Computer Club (CCC) punctured its aura of security by tricking the sensor using a “stolen” fingerprint.

They took a copy of a target’s fingerprint with a high-resolution image, printed out a reverse of the fingerprint using heavy amounts of printer toner to create a mold, and then made a  replica fingerprint with wood glue.

It wasn’t Apple’s bad: another group of researchers used the same method to hack the fingerprint sensor on the Samsung Galaxy S5.

Last week, yet another pair of researchers ditched the muss and fuss, using a regular 2D inkjet printer to make a usable copy of a fingerprint with silver conductive ink cartridges and AgIC paper.

No mold needed, no glue to dry – just scan the fingerprint, print it out on the special paper, and swipe.

Don’t count fingerprints out altogether as a biometric authenticator, though: at the Consumer Electronics Show in Las Vegas a few months ago, a phone from Letv came out with a liveness detection capability designed to detect an actual finger is being used, not just a wax dummy or high-quality scan.

When it comes to biometric authentication, it’s all about liveness nowadays.

Are you ready to use selfies to log onto Amazon and order everything you need to maintain liveness—dehydrated cheddar cheese, toilet paper, plastic wrap—without actually having to leave the house?

Let us know your thoughts below.

Image of Facial recognition software courtesy of Shutterstock.com

8 Comments

But is it robust against a legitimate user getting punched in the face?

I suppose if that’s the facial contortion you choose, you have to find someone to bop you one every time you want to log in.

I think Paul’s reply missed the point. What happens if one’s face is disfigured AFTER Identification has been accepted and saved?

I was more thinking that a swollen jaw could make certain facial contortions more difficult.

Although come to that, what if your facial contortion is a smile and you need to buy something because your dog just died?

So, fingerprints can be kinda hacked. How long before we hear the similar thing about Face Recognition? Amazon says they can identify the face with “fair degree of certainty” There you go! HACKED! In near future.

i would rather take the weeks to memorise a good 21 digit password than have my account hijacked so err sorry amazon i think you boarded titanic on this one

I don’t have a mobile phone account and my old Apple 1 has a camera at the back and my laptop computer doesn’t have a camera and I spend a goodly amount buying movies and other things on Amazon. I guess Amazon won’t care if people like me transfer our business to the local WalMart store.

Facial recognition for Amazon. No, thanks, I’ll stick with the old way and continue to poke in my password with my fat fingers.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?