Meet the grin reaper: Password manager now snaps login SELFIES

We've heard of service with a smile but this is ridiculous


Forget master passwords, literally. Password manager LogmeOnce has come up with a new-ish way to log into websites – selfies.

The cloud-based biz told El Reg today it has added a new PhotoLogin option which takes a photo of you and uses it to unlock the services you're trying to access.

It works by getting you to take a picture of yourself on one machine – a laptop, for example – and then sends that snap to an already set-up trusted device, such as your mobile phone.

If you confirm on that second device that the pic that appears is the same one that you just took, LogmeOnce authenticates your access to your online password vault, and from there you can log into other websites.

Therefore, if your phone flashes up a photo that you didn't just take, you know that someone else is trying to access your vault and you can stop them. The pictures self-destruct after one minute.

The big advantage to this system is that it yanks out the need to remember a complex master password and replaces it with a one-time login requiring a trusted device. Within their vaults, people can follow best practices for passwords: such as coming up with randomized passwords using upper and lowercase, numbers and punctuation, and using a different password for each website.

That side of things, the use of non-password authentication, is far from new – there is a wide range of password managers on the market and security experts are increasingly advising people to use them – but the real-time use of photos is novel and potentially more secure.

There are some password-managing products that use facial recognition to confirm the identity of a user, but LogmeOnce argues they are not accurate enough, producing a high rate of false positives and negatives, ie: letting others into your account, or refusing you access.

Before you get too excited however, there are two potential caveats with the system.

For one, unless you decide to remove the master password, it will still be there even with the PhotoLogin feature; if enabled, that master password will still grant access to your account, it's just that you may choose to no longer type it in.

That means that if you choose a poor master password, you are opening yourself up to being hacked regardless of whether or not you use the photo-based auth.

And second, LogmeOnce is cloud-based, running on Amazon's servers. Therefore, if you choose to, your passwords are stored on someone else's computers rather than on your own device. To hackers, LogmeOnce will look like one big pot of honey to crack open, allowing them to devour everyone's credentials.

LogmeOnce told El Reg you can, alternatively, choose to store your passwords on your local device or on a USB stick rather than send them to the cloud. That would however limit your ability to sync passwords across devices. It also claims that passwords are encrypted on your local device before being sent to the cloud.

As ever, it's a balance. Since people are persistently better at snapping selfies and having a phone to hand than remembering complex passwords, the photo login could be just the feature that causes a lot of folks to start using a password manager rather than the same two or three weak passwords for everything. That can only be a good thing. ®


Other stories you might like

  • UK government opens consultation on medic-style register for Brit infosec pros

    Are you competent? Ethical? Welcome to UKCSC's new list

    Frustrated at lack of activity from the "standard setting" UK Cyber Security Council, the government wants to pass new laws making it into the statutory regulator of the UK infosec trade.

    Government plans, quietly announced in a consultation document issued last week, include a formal register of infosec practitioners – meaning security specialists could be struck off or barred from working if they don't meet "competence and ethical requirements."

    The proposed setup sounds very similar to the General Medical Council and its register of doctors allowed to practice medicine in the UK.

    Continue reading
  • Microsoft's do-it-all IDE Visual Studio 2022 came out late last year. How good is it really?

    Top request from devs? A Linux version

    Review Visual Studio goes back a long way. Microsoft always had its own programming languages and tools, beginning with Microsoft Basic in 1975 and Microsoft C 1.0 in 1983.

    The Visual Studio idea came from two main sources. In the early days, Windows applications were coded and compiled using MS-DOS, and there was a MS-DOS IDE called Programmer's Workbench (PWB, first released 1989). The company also came up Visual Basic (VB, first released 1991), which unlike Microsoft C++ had a Windows IDE. Perhaps inspired by VB, Microsoft delivered Visual C++ 1.0 in 1993, replacing the little-used PWB. Visual Studio itself was introduced in 1997, though it was more of a bundle of different Windows development tools initially. The first Visual Studio to integrate C++ and Visual Basic (in .NET guise) development into the same IDE was Visual Studio .NET in 2002, 20 years ago, and this perhaps is the true ancestor of today's IDE.

    A big change in VS 2022, released November, is that it is the first version where the IDE itself runs as a 64-bit process. The advantage is that it has access to more than 4GB memory in the devenv process, this being the shell of the IDE, though of course it is still possible to compile 32-bit applications. The main benefit is for large solutions comprising hundreds of projects. Although a substantial change, it is transparent to developers and from what we can tell, has been a beneficial change.

    Continue reading
  • James Webb Space Telescope has arrived at its new home – an orbit almost a million miles from Earth

    Funnily enough, that's where we want to be right now, too

    The James Webb Space Telescope, the largest and most complex space observatory built by NASA, has reached its final destination: L2, the second Sun-Earth Lagrange point, an orbit located about a million miles away.

    Mission control sent instructions to fire the telescope's thrusters at 1400 EST (1900 UTC) on Monday. The small boost increased its speed by about 3.6 miles per hour to send it to L2, where it will orbit the Sun in line with Earth for the foreseeable future. It takes about 180 days to complete an L2 orbit, Amber Straughn, deputy project scientist for Webb Science Communications at NASA's Goddard Space Flight Center, said during a live briefing.

    "Webb, welcome home!" blurted NASA's Administrator Bill Nelson. "Congratulations to the team for all of their hard work ensuring Webb's safe arrival at L2 today. We're one step closer to uncovering the mysteries of the universe. And I can't wait to see Webb's first new views of the universe this summer."

    Continue reading

Biting the hand that feeds IT © 1998–2022