1

I'm planning to use AWS Rekognition service for forgot password in my iOS and android apps. Flow will be like, whenever user initiate forgot password, I will be checking whether actual user is initiating the forgot password for particular mobile number. For this I will be asking user to take one live pic of himself/herself and check this against reference image. But I'm facing one scenario in this,

E.g: If user A got the User B's mobile and initiate forgot password from B's device, if we have only OTP authentication, A can easily change B's password using forgot password, since A have access to B's messages.

So I want to add extra layer of security before initiating forgot password flow by ensuring using live picture of person who is initiating forgot password action.

In this case what if User A have User B's image in A's mobile and take photo of it from user B's mobile and initiate forgot password?

How to restrict this kind of scenario? and I just want to know whether this is suggested way to proceed or not.

Please advice.

Karthick Selvaraj
  • 2,387
  • 17
  • 28

1 Answers1

2

Amazon Rekognition can recognize faces in still images or in video.

The problem with a still image is that they could submit a picture of somebody else because there is no proof that the image is "them". To be more secure, the application could take the picture itself so that it knows the picture is showing something from "now" (rather than a saved image), but they could conceivably take a picture of a picture to bypass this check.

An alternative is to use Amazon Rekognition Video to record a video in the application, which would require more bandwidth and processing time but would be more difficult to fake.

The iPhone X uses 3-D particle scanning to improve security.

Bottom line: Face recognition is not highly secure, but with additional factors it might be acceptable to your use-case.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • 1
    Yes, I'm not going to allow my user to pick image from photos/gallery app, I will allow only to take live picture from camera. Though, they can take picture of others picture. Let me check more about video analysis using Rekognition and update this thread. Thanks for your time!! – Karthick Selvaraj Oct 25 '18 at 05:23
  • @KarthickSelvaraj, have you done any additional research on this? Is Rekognition secure when it comes to face spoofing attacks? – Opal Sep 24 '20 at 05:33
  • 1
    No @Opal. We have added manually verification and OTP based authentication in our flow along with facial recognition to tighten the security. – Karthick Selvaraj Sep 25 '20 at 10:43
  • @KarthickSelvaraj, thanks, I do consider exactly the same approach. – Opal Sep 25 '20 at 11:08