STE WILLIAMS

Forget master passwords, literally. Password manager LogmeOnce has come up with a new-ish way to log into websites – selfies.

The cloud-based biz told El Reg today it has added a new PhotoLogin option which takes a photo of you and uses it to unlock the services you’re trying to access.

It works by getting you to take a picture of yourself on one machine – a laptop, for example – and then sends that snap to an already set-up trusted device, such as your mobile phone.

If you confirm on that second device that the pic that appears is the same one that you just took, LogmeOnce authenticates your access to your online password vault, and from there you can log into other websites.

Therefore, if your phone flashes up a photo that you didn’t just take, you know that someone else is trying to access your vault and you can stop them. The pictures self-destruct after one minute.

The big advantage to this system is that it yanks out the need to remember a complex master password and replaces it with a one-time login requiring a trusted device. Within their vaults, people can follow best practices for passwords: such as coming up with randomized passwords using upper and lowercase, numbers and punctuation, and using a different password for each website.

That side of things, the use of non-password authentication, is far from new – there is a wide range of password managers on the market and security experts are increasingly advising people to use them – but the real-time use of photos is novel and potentially more secure.

Pros and cons

There are some password-managing products that use facial recognition to confirm the identity of a user, but LogmeOnce argues they are not accurate enough, producing a high rate of false positives and negatives, ie: letting others into your account, or refusing you access.

Before you get too excited however, there are two big caveats with the system.

For one, the PhotoLogin feature will not get rid of the master password; it will still be there and will still grant access to your account, it’s just that you may choose to no longer type it in.

That means that if you choose a poor master password, you are opening yourself up to being hacked regardless of whether or not you use the photo-based auth.

And second, unlike password managers that store passwords securely encrypted on a local machine, LogmeOnce is cloud-based, running on Amazon’s servers. Therefore, all your passwords are stored on someone else’s computers rather than on your own device. To hackers, LogmeOnce will look like one big pot of honey to crack open, allowing them to devour everyone’s credentials.

As ever, it’s a balance. Since people are persistently better at snapping selfies and having a phone to hand than remembering complex passwords, the photo login could be just the feature that causes a lot of folks to start using a password manager rather than the same two or three weak passwords for everything. That can only be a good thing. ®

Sponsored:
Best practices for writing a successful NSF MRI grant proposal

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2016/06/28/password_manager_selfie/