Authentication makes sure a user is who they claim to be. It is based on any of the following components:
- Something you know, e.g. password or PIN
- Something you have, e.g. key or token
- Something you are, e.g. fingerprint or face
Biometric authentication is based on something you are, e.g. fingerprint, iris, retina, voice, hand geometry, or face recognition. Many of these have been used for a long time, and they still have unused potential.
Strong authentication (also 2- or multi factor authentication, 2FA, MFA) is commonly used with biometrics. It means that at least two of the above mentioned components are simultaneously used for authentication. The second component is usually a password.
The next big thing in biometrics is face recognition.
Face Recognition Goes Mainstream
With Apple’s new iPhone X, face recognition will become mainstream, allowing the user to unlock the phone by just looking at it. Apple claims that their face recognition is 20X more secure than fingerprint scanning, while also faster. Many phone manufacturers have their own versions of face recognition, but Apple claims only their version gives a desired level of security. Microsoft has also unveiled their biometric authentication technology, Windows Hello. It works much like Apple’s face recognition, and it also supports iris and retina scanning.
There are many examples of face recognition possibilities. For instance, it will speed up London Heathrow Airport security controls. It can also be used to authenticate payments, open physical doors, and log you on to a laptop — as well as automatically lock the laptop when leaving the desk. Possibilities are endless.
Concerns with Face Recognition
New technology rarely comes without concerns. In the iPhone launch event, the facial recognition demo failed and didn’t unlock the phone. This obviously raised concerns whether the whole technology is mature yet. Apple said the failure was actually a feature; other people had played with the phone backstage, so it reverted to password authentication.
Iris recognition and many face recognition methods can be fooled by showing a big-sized, high-resolution image to the camera. Both Apple and Microsoft build a 3D model of the face, and use infrared light to prevent using a printed image or a mask. Retina scanning could still be used to provide extra security.
People are obviously also worried that their facial data will be leaked to hackers. A best practice approach is to keep the key data encrypted in the device’s secure TPM microchip. This way, the data cannot be stolen even with full access to the device. This means also that the biometric data does not roam with your profile/identity — i.e. all your devices need to be enrolled separately for biometric authentication. The device only sends out information whether the person is the one expected or not.
Apple’s face recognition is done by an artificial intelligence algorithm in the phone, constantly adapting and learning more about the owner’s face. Microsoft, however, gives full control to the user and does not adapt to user’s changing looks.
Another concern is that a user might be forced to show all their data by just putting the phone in front of them. You have to stare at the camera to unlock the phone, so forcing someone to unlock their phone is actually easier with a fingerprint scanning phone. It might be possible to automatically recognize involuntary micro expressions, and use other kinds of risk-based authentication mechanisms (e.g. location, time of day, behavioral patterns). In case there were anything alarming, the phone would just revert to password authentication.
Recognizing a face has always in history been the primary way of identifying a person. Opening a bank account or obtaining a passport require a secure way of identification. Once identified, consecutive sessions/uses need just an authentication. Identifying a person is more complicated than authentication: How can you be certain whose face is this if there is nothing to compare it with?
Many banks have implemented online identification process so that a human identifies the customer via a webcam call. If we could build a reliable, tamper-proof way to digitally identify a person, lots of costs could be saved. It is not really a secure way to identify a person using an old drivers’ license photo. Even if that old photo ID is the best option available, artificial intelligence will be more trustworthy recognizing it than a human. Automatic risk-scoring could let you start using the services at a lower trust level, and later requiring a “Step-Up Identification” to enable full service.
Automatic face recognition will be a big enabler for digital transformation. More and more services can be provided without ever meeting the person face-to-face. Once the person is identified their face can be used to authenticate them in a very secure way. This enables easier payments and usage of services — you always carry your biometrics with you. These technologies require extreme security, as biometrics cannot be reset like passwords. Whatever device (e.g. phone, passport) the biometric data is stored in, that data should never leave the device — only the information whether the user matches the biometric data or not.
Certified for CISSP®, CIAM, M.Sc. of Computer Science.
Latest posts by Tapani Tanskanen (see all)
- The Path to Next-Generation Security – Atos IAM & Cybersecurity Forum 2017 - November 20, 2017
- Authentication and Identification with Face Recognition - October 24, 2017
- Digital Transformation Requires Customer IAM - July 28, 2017