4 replies to this topic

[nachonachos]

So I am thinking if it's a good business idea to develop and shop to banks/casinos/governments a software system that:

* Authenticates users based on voice/face biometrics.
* The face recognition will be used as an additional layer of security - people will still
use usual password/username + challenge question.

The idea is the bio recognition to substitute traditional 'hardcore' measures that have
some known flaws (token can be lost/damaged/sniffed), TAC can be captured/"shouldersurffed".

In addition I will develop other features, such as;
* Virtual keyboard (most US banks do not use virtual keyboard, let alone forex, casino
websites)
* Challenge question that it's harder to guess (not like mother maiden name or your college,
but rather - favourite hobby, city you spend your honeymoon in, etc.).
* Sophisticated alerts - when a user logs in from a new ip or when the ssl uses weak
encryption or when user changes contact information - the admin + user will receive
email/sms.
* Password + username will be stored in sha512 + salt to greatly decrease decryption.
*.net used against BF, tested vs xss, stored procedure against sql inj., etc. etc.

So anyway - do you think anyone will be interested?? Or rich webowners will simply decide to
pay some skilled indian guy $500 to develop such system whenever they need it? ALso what
price if any will be OK - $500, $5000?

10x for readin!

[WingedPanther]

I think the software is already developed and being sold to those who want it. Do you have any idea how long it would take to create a reliable system?

[bbqroast]

Yeah,
This stuff came with my lappy.
But it is a piece of crap, literally takes up to 5 minutes to get it to recognse you!

[nachonachos]

WingedPanther said:

I think the software is already developed and being sold to those who want it. Do you have any idea how long it would take to create a reliable system?

10x for the reply...
I am not sure if your question if rhetoric or just...driven by curiosity but anyway: development time isn't my greatest concern as long as it justifies the profit and yes, I am sure it will be way shorter than developing a video game or an operating system. That is, 3 months or less/testing included/.
Not to mention that it's asp.net after all...you have many thinks in .net included + COM, intellisense in visual studio, linq recently, help in forums, MSDN. In fact the only thing that can slow down is the very face recognition - anything else can be accomplished easily by any net developer with 2+ years experience. In fact, even msdn features an article on how to create a secure login (with encryption of passwords, stored procedure for sqlsrv, etc.). And...if there is a way to include a 3rd party facial recognition system in .net without violating the GPL license...even better.
So about the business problems:
I don't think most banks actually "buy a system" - i mean they employ developers and then tell them what to create. I suspect governments are even worse and will demand several meetings face to face + due diligence of any company aspect or even your family??
Also, many people won't believe you that face recognition is trustworthy IMO even if you can make it perfect. And finally, if you think about it more - face recognition can also be sniffed...in theory. So...if I decide to simply design a slightly better system - with say better security questions and alerts via fax - no one will be interested as this lacks this one "killer feature" that stands out and make people buy the product...because people are irrational to some degree and are driven by biases.

[WingedPanther]

The image processing for the facial recognition is likely to be the hard part. You have two issues you need to deal with: false positives (authenticating someone who is different) and false negatives (issues getting a correct person authenticated). When using ASP.NET, you add the additional complication of validating the image stream as being from a web camera and not a video of the person who should be authenticated.

Now, if that isn't enough issues to address, there is also a concern of which is more of a concern. False positives in a a high security environment are more of an issue, but a low security, high-volume environment may consider false negatives more of a concern. Simply put, I think the facial recognition is the hardest part, and may be much harder than you think.