The two big tests of any authentication system are accuracy and security.
Facial recognition is undoubtedly achieving accuracy levels to rival any other biometric technique.
But can new facial recognition systems be fooled, or can they defend themselves against attackers ‘stealing’ people’s faces?
As we’ve established, a face is not a ‘secret.’
On the contrary, it is easy to find a person’s face in an era of photo sharing.
Instead, a face has to be hard to copy – and probably ‘live.’
What are the facial recognition issues here?
In the past, criminals have tried methods such as:
Photographs, 3D-printed masks, and video clips
Early facial recognition systems were vulnerable to these approaches.
In 2009, authorized hackers successfully used photos to trick the systems used by Lenovo, Asus, and Toshiba laptops.
Forced or unaware of facial recognition
If attackers cannot spoof a system, they might try to force an authentication.
For example, they could hold a person’s phone to the owner’s face when asleep, or coerce them to unlock it.
Stealing the numerical code
If every face pattern is converted into a numerical code before matching, a criminal could steal the codes.
Happily, technology improvements and a smarter approach to the user interface have made it harder for hackers.
Liveness detection is the best defense against photo spoofing.
3D scanning helps (see technology section), and some systems require subjects to blink during set-up to indicate their ‘liveness.’
Another sensible measure is to support different levels of security, depending on the use case.
- In low-risk scenarios, facial recognition alone might be suitable.
- But where the risk is high, the system might demand multi-factor authentication such as password and fingerprint.
Let's see how facial recognition is evolving with Dimitrios Pavlakis from ABI Research.
Facial recognition evolution
Dimitrios Pavlakis, Industry Analyst at ABI Research, says the user experience should depend on the context.
“It might be okay to wake up your in-car entertainment with just your face, but maybe not to unlock the car itself. Manufacturers and algorithm developers might also ship face recognition systems with variable thresholds for different use cases and applications.
They might dial down the accuracy and increase the authentication speed in smart homes, for example, where there are a small number of frequent users, as opposed to banking or access control, where multiple users need to be identified.”
Apple is a case in point here.
While a person’s face alone can unlock the iPhone, a face scan and PIN code are required to open more sensitive services.
A good defense against the harvesting of facial data is to avoid keeping it in a central database.
This is why many systems store the numerical code locally – inside a secure enclave in the device itself.
For example, in a phone, an embedded secure element (eSE) is a tamper-proof chip that lives in the chipset or SIM card.
It can only be accessed with strong authentication. Also, the eSE never shares the code with an application.
Instead, if a service wants to verify the user is authentic, it merely receives a yes/no answer.