I personally hate the idea of face ID, but this project is exactly the kind of stuff we need if we want (and forgive the meme,) the year of the linux laptop.
- Implements a popular feature other OS's have
- A cute knock off name, making it self-explanatory (this is actually fairly important for adoption!)
- Integrates well with cli junky workflows
> Using the central authentication system (PAM), this works everywhere you would otherwise need your password: Login, lock screen, sudo, su, etc.
- A nearly perfect readme in the repo. 2 sentence summary of the project, concise instructions for building/installation, where the error log lives, etc. without being too long.
There are a lot of repos I've seen with horrible readmes that don't even have a sentence of what the purpose of it is.
Which is reasonable if the repo is just for development, but most of the time a link to the repo is the main download link/project landing page. The added friction leads to less adoption and usage of something otherwise useful.
If you're making a project simmilair to this, I recommend taking notes :^)
I can kind of get why "Windows Hello" camera-based face id isn't exactly great but do you also think the same of Apple's "actually modeling your face" style? Because I was really apprehensive about it compared to a fingerprint reader but I've pretty much flipped 180.
There is no way to indicate login consent with biometric authentication; when you are asleep, your finger/face can be used without your consent. Really it should be called biometric identification, not authentication.
While biometrics are imperfect (because you can't change or even hide the key), it's not quite as bad as you make out.
On iOS at least, it gains affirmative consent by you double clicking a button on the side. It also refuses to recognise your face if your eyes are closed.
It’s pretty strict and won’t authenticate if I look too tired, so I think you’d have to be pretty careful about how you tape the unconscious victim’s eyes (a conscious victim would just look away from the screen) to fool it.
And if someone has full physical control over you such that they can open your eyes without consent, do you really care if they can unlock your phone? Your life is in their hands at that point anyway.
You have to assume a persistent attacker with physical access will be able to crack the device regardless.
I'm thinking children or spouses, you may be able to trust them not to murder you in your sleep, but accessing your device while you sleep to be able to play some games or read your texts is something they would probably do.
It only works if you're close, alive, your eyes are both open, and looking right at it. I doubt that degree of specific physical attack is in most people's threat model. It's only backing a 4/6 digit pin for most people anyway. Realistically, it's not the weakest link.
As long as you think face or fingerprint as an username and not as password, they are kinda fine.
You should be able to change your password, so there are not good. They are also public information.
For now, they work as they are still hard to fake, but that might change over time in the future.
I use finger print scanners at home because it's less keystrokes.
But not on my phone. Both because my (trusted) friends sometimes need to borrow a phone, and also for the very rare chance police detain me and try to break into my phone without a warrant.
Legally, you don't have to tell a cop your password, but they can physically force you to use your finger/face to unlock your phone.
Windows Hello is more than just a webcam, the IR spectrum is a lot harder to fake (compared to, say, facial recognition in many Android phones). You'll need a picture taken with an IR camera, programmed into fake webcam hardware, to bypass it. Still far from perfect, but not as trivial to bypass as people seem to think.
That said, the traditional fingerprint readers are more secure and just as easy to use. I don't understand why Apple shifted focus for mobile security onto facial recognition, especially with the development of under-screen fingerprint scanners in smartphones.
John Gruber / Daring Fireball has written several posts about FaceID, including:
> "(Quoting Stratechery) TouchID made it far easier to have effective security for the vast majority of situations, and FaceID makes it invisible. [...] the first time I saw notifications be hidden and then revealed (as in the GIF above) through simply a glance produced the sort of surprise-and-delight that has traditionally characterized Apple’s best products" - https://daringfireball.net/linked/2017/11/08/apple-at-its-be...
> "(Quoting Tom's Guide) I’ve been using Face ID on the iPhone X for more than 24 hours, and I don’t need a stopwatch to tell you that it unlocks my phone slower than when I was using Touch ID on my older iPhone 7 Plus". This is not a “workaround”. This is how you’re supposed to unlock iPhone X. Starting with a tap of the side button is not how you’re supposed to do it — you’re creating a two-step process where you only need one. [...] The best way to use Face ID is to pretend it isn’t even there, and just swipe up from the home indicator." - https://daringfireball.net/linked/2017/11/01/face-id-extra-s...
> "(Quoting Michael Tsai) However, Face ID also has advantages. It works with gloves on, with wet fingers, and with dry/cracked skin. It’s more convenient when the phone is in a dock or car mount where it would be hard to get my hand under it to put my thumb on the sensor." - https://daringfireball.net/linked/2019/03/01/tsai-iphone-se-...
I wear face masks more often than I wear gloves and I sure hope facial recognition doesn't just throw away half my face. Combine that with the fact that in certain Asian countries it was normal long before COVID to wear masks when you're not well and I'm not sure which one makes more business sense.
With under-screen fingerprint scanners, or the power button fingerprint scanners on some phones, that "two step process" turns back into a single step. My unlock process is to put my finger on my screen (where the fingerprint scanner is) and pull it out of my pocket. It's honestly no different from the swipe up that you need to do on iOS. Because the scanner is on the front, it also works pretty flawlessly when it's attached to a mount of some sort.
Wet hands are one place where improvements can be made, but modern fingeprint scanners are doing quite well in that space as well.
I've used Google's facial recognition system for ages before I had a phone with a fingeprint scanner and it was always pretty snappy for me, but I didn't set it up with this phone and I haven't missed it so far.
Most analyzing of face ID feature happened when it first came out before covid, so a lot of security claims are probably not fully accurate anymore (or at least are deserving of a re-evaluation)
I have little basis for this assumption, but I imagine apple would compromise a bit of security to keep the feature people payed for working and just chop off half the face.
Now what you really want to be doing is printing QR code masks to make up for the missing half of the face! /s
The problem is companies acting like masks are an aberration: if you work in construction, or around your house, then there's plenty of moments you're not wearing gloves but can't or shouldn't take a respirator off (or it's far more involved then taking off a glove).
Face ID has been upgraded since 2019 and is now a lot faster than the initial iteration. Some people may argue Touch ID will always be faster, but I think actively looking at the phone is quicker than trying to put your finger in the right spot
> You'll need a picture taken with an IR camera, programmed into fake webcam hardware, to bypass it
This is absolutely wrong. I've bypassed it with only a picture (off of a phone, no less). It is bad technology (for securing sensitive information). In terms of convenience of course, it is unmatched.
I've found the convenience to be quite easily surpassed by not ever locking my machines, at virtually no cost to security compared to biometric authentication :)
That's a pretty solid point, though if you only want to secure against a random hobo that doesn't know you at all (and indeed has never seen you) then face locking is okay.
If you're leaving your laptop unattended in a place where random strangers have access to it, the likely outcome is that the machine will be stolen. I'm struggling to come up with a threat model that makes sense for biometrics.
I'm not sure what sort of office you work at, but unfortunately all of the ones I've ever been in do indeed have random strangers in them (not employed by the company). Generally you can trust them not to steal laptops, but you are still not supposed to be sprinkling your possibly internal-only communications around. This threat model is well-served by biometrics, though really why you wouldn't just use a password I don't really know. As you say it works against a more robust attack and there are ways of generating them that are (relatively) easily memorisable using mnemonics.
I've never worn a glove that feels comfortable using a touchscreen in.
Even medical latex-type gloves make keyboard typing near impossible for me (granted that might be because I'm right between sm and md size gloves so I have to wear slightly baggy mediums...)
> A note on security
> This package is in no way as secure as a password and will never be. Although it's harder to fool than normal face recognition, a person who looks similar to you, or a well-printed photo of you could be enough to do it. Howdy is a more quick and convenient way of logging in, not a more secure one.
Congrats to the author(s) for shipping a library, and having done so for some time now it seems (which is more than I've ever done).
Can I ask if there's much of a point, though? Like why bother with the trouble of setting this up if I can just print a photo and have it unlock? At that point you're better off with a very weak and easy-to-remember password, no?
Depends on the level of security you need. This would be enough for my personal laptop, where it's unlikely that I would be targeted by someone, even more so with the skills and time to go and bypass the protection, all that to access my hn account and the half dozen code bases I work on that are already open source. My password manager locks itself whenever I lock the computer, and my webmail has a 1h session. It is much more likely that it would be captured as part of a robbery, or stolen in a cafe, and be resold on craigslist, in which case this level of security is probably sufficient.
My professional laptop could be different if I was working on something of any importance. That is not the case, but there the risk reward is different, and I would probably keep it to password + sec key or something in these lines
I wish I could restrict it to NOT working everywhere PAM works.
For instance, only face-unlock my screen if it locked for inactivity, and less than 15 minutes ago. If I manually locked it, require password. If I've been gone too long, require password. For sudo and bootup, always require password.
That would make the level of (in)security acceptable to me. In its present state, I don't think it's appropriate.
I was gonna say well, of course you should be able to configure it within PAM to only be used for certain authentication types, but it turns out one of the literally five pages in the wiki covers just that: https://github.com/boltgolt/howdy/wiki/Only-using-howdy-for-...
And for anything PAM doesn't handle, since Howdy is just a Python lib/app, it's almost trivial to modify it to do anything else. You could just add your modifications into https://github.com/boltgolt/howdy/blob/beta/howdy/src/compar... (eg, make it autofail if a env/memory flag hasn't been set after first login, same with storing an inactivity flag, etc. Looks like the author is responsive taking pull requests, so you could even do it properly and get it upstreamed even: https://github.com/boltgolt/howdy/pulls?q=is%3Apr+is%3Aclose...
As for appropriateness, it's fine if it's not your cup of tea, but with 3.6K stars and 220 forks, obviously it works great/is useful for a lot of people so I'm glad that the author released and maintains it, even if it's not for everyone.
I think it would be interesting if logind was able to track such indications (locked because of inactivity, or due to smart card being removed, or because the system was moved outside of a geofence, or because Kerberos TGT expired), then a pam module could query logind in order to skip over pam_howdy.so based on the desired conditions.
I've wanted that for some time with sssd (e.g., unlock with a single factor if my TGT is still valid) but never got around to filing the right RFEs.
At a first glance, it seems like a well done authentication system that handles video capture, integration with PAM, the workflow for managing faces/users, etc.
As models evolve, they could be integrated without changing the other components.
Also, I'd be curious to see how it compares to, say, Windows Hello. The nice thing about it being open source is you can change the confidence threshold for matching a face, and see the impact.
AFAIK Windows hello uses an array of IR sensors to map the contours of your face, which is why "a well printed photo" doesn't fool it. this on the other hand, is based on face recognition and identification in the video feed from your webcam.
It really does not, it's simply identifying you from a picture: https://docs.microsoft.com/en-us/windows-hardware/design/dev...
Notice how Microsoft shows how Hello can't be fooled by phones or by a picture. Howdy uses the same IR camera of course and thus would also not be fooled by that picture. Some (industrial) printers DO print in the IR-spectrum and can fool both.
It's all about your threat model. The lock on your front door doesn't prevent someone with the right tools from getting in either, but it still provides meaningful security against large groups of potential attackers.
FWIW, Windows Hello does try to defend against this attack by requiring special cameras that operate in the infrared band.
>> Like why bother with the trouble of setting this up if I can just print a photo and have it unlock?
The question is - who are you trying to protect against?
Like, personally I'm worried about someone stealing my laptop. In that case, it's extremely unlikely the thief would have a photo of me to use to unlock the laptop. Yes my wife or my friends would have access to pictures of me in high enough resolution to print and use to unlock it - but I'm really not worried about them breaking in.
> Use your built-in IR emitters and camera in combination with facial recognition to prove who you are.
I wonder if the "could be enough to do it" is kind of pessimistic. That is, it is open source software -- you can install it on whatever computer you want, including one without an advanced IR camera. Or, the user could have some obscure IR camera, which might not be detected properly/might not have Linux drivers. It seems hard to make guarantees for arbitrary hardware.
Could be handy for having a computer the kids can use, just look at it and unlock it - dunno if that's easier than '123456' or no passwords, but I can see certain scenarios where a simple face match to unlock something would be cool
Hey main developer of Howdy here, bizarre to see this on HN :)
To emphasize: Howdy is about convenience for people that are okay with a less secure installation. It can also be used as a second factor.
3.0.0 has been in the works for 2 years now and will introduce a GTK UI, native PAM module and many other changes. Let me know if you have any questions!
I never got round to PR'ing this (maybe I still will) but it would be great if Howdy had a feature where it could be "skipped" until the user is logged in.
That would allow people using systemd-homed's encryption to unlock their home directories, which they otherwise cannot have done [as it requires the passphrase].
I don't have a lot of faith in Windows Hello either.
My 6 year old daughter was able to log into my admin account.
They weren't even trying to do that, just opened the laptop and it's all like "Hello, Brian!" and logged into my account.
friendly reminder: do not use facial authentication (or biometrics), ever.
in a US court of law, things like blood and biometrics are NOT protected by the fifth amendment. law enforcement can (and have) compelled submission of fingerprints and faces to unlock devices. this includes immigration and customs officers demanding credentials from foreign nationals.
complex passphrases however are protected under the fifth amendment, and are much more secure overall.
Additionally, it provides zero security against any attack more earnest than peeking at your screen when your back is turned, unless combined with an elaborate chain of trust, including a TPM/Secure Enclave and full-disk encryption, which is only obtainable by running either Windows or Ubuntu with the officially signed-by-Microsoft Secure Boot kernel.
Otherwise anyone can just boot the machine off a USB stick and take what they like.
What's wrong with unlocking a device for them. Do you have something to hide? The convenience is valuable to the majority of people who will never be forced to unlock their device in their life.
My Xiaomi does that too, although the quick shortcut is to just hold the power button down to force reboot it. I think it's just the PC space missing support for this.
However, I think the emergency disable functionality in Windows Hello isn't really necessary. You can quickly disable biometrics on your phone from your pocket, but disabling it on a desktop or laptop is a lot harder to do inconspicuously.
Because this is using PAM, you can configure it however you want. You can tell your system to allow user logins through biometrics but require a password for administrative tasks (doas/sudo) for example. You can also edit the source code and make it always fail if a certain file in a write-only directory is present and set up a keyboard shortcut that runs `touch /special/file/here`. You can even implement such a timer system by setting up a systemd timer that automatically creates such a file after a certain amount of time to make sure you need to reauthenticate.
Setting up a reliable face recognition system that hooks into the right APIs is the hard part. That's what this project does. Customising it to serve your exact use case is relatively easy.
Android does all three, though there's no way to configure the timeout for (2), and the timeout seems inappropriately long (72 hours). At least, all these are the case on the Moto builds of Android 10. Could be different on other manufacturers.
Some cameras have depth sensors to defend against the printed photo attack. Are they easily useable by Howdy? FWIW, Windows Hello refuses to work without one of these sensors.
"Windows Hello uses the two IR emitters to generate a 3D image of your face, and is much more secure. To do this Hello lights up your face with the left emitter on even frames, and uses the right emitter on odd frames. This lights up your face in slightly different angles, which is not possible to be faked by simply printing a 2D photo.
Unfortunately Howdy does not have control over these IR emitters and can't use this process"
Ah yeah, that's interesting. I was looking at the actual recognition code in howdy (basically leans on dlib's face detection), which doesn't seem to have any "3D" checker built in, but if it is just based on differential illumination, maybe it won't be so hard to simply make sure there are sufficient differences in the odd/even frames to distinguish a face as 3D.
I suppose it could be weak to a "mask" attack, but you could add something like drishti to make sure you can real eyes in addition to a face.
Multi-spectral processing might help in that case, but honestly, if this sort of attack is a real security threat, then you probably shouldn't be running biometric logins in the first place (and you should probably actually be using MFA).
Of course, this is all about authentication convenience and keeping the attacker bar high. The mask attack is a lot more expensive/difficult than printing out a photo (too easy).
- Implements a popular feature other OS's have
- A cute knock off name, making it self-explanatory (this is actually fairly important for adoption!)
- Integrates well with cli junky workflows
> Using the central authentication system (PAM), this works everywhere you would otherwise need your password: Login, lock screen, sudo, su, etc.
- A nearly perfect readme in the repo. 2 sentence summary of the project, concise instructions for building/installation, where the error log lives, etc. without being too long.
There are a lot of repos I've seen with horrible readmes that don't even have a sentence of what the purpose of it is.
Which is reasonable if the repo is just for development, but most of the time a link to the repo is the main download link/project landing page. The added friction leads to less adoption and usage of something otherwise useful.
If you're making a project simmilair to this, I recommend taking notes :^)