We are entering a new age of digital security. Today, we’ve seen the spotlight back on facial recognition with global organizations like Apple and Samsung replacing their Touch ID fingerprint scanners in favor of the 3D facial technology. Apple claims that the overall risk of another person unlocking the phone by face is one in a million, as its Face ID recognition system even demands a ‘liveness test’ for it to function. While that may make design sense, facial recognition does not surpass fingerprints when it comes to security bypassing.
Reliance on a single-factor for authentication, whether it is a password or your face, is ill-advised. This is because a single password is simply not enough for true security and adding another layer of defense will keep your accounts and data better secured.
First, we (as humans) use facial recognition as our primary means of identifying persons but we also use the context of the situation or environment. Recent success using facial recognition seem to indicate computers can also take context into account. For example, a facial recognition system implemented at Washington Dulles International Airport caught its first imposter after the system determined that the man’s face did not match the photograph on his passport. Officials later determined that the man was concealing his authentic ID in his shoe. Context may include additional factors, both explicit and implicit, to provide additional confidence within an authentication process.
Authentication and authorization are separate steps in allowing or denying access to any computer system. Authentication means identifying the user and determining the confidence of such identification. Authorization is the decision to allow or deny based on the authentication results. There are major problems with facial recognition that suggests it is poor as a sole factor for identification due to low confidence scores during authentication. Additional context can increase the confidence regarding identification of an individual via correlating information that confirms (or not) the identified subject.
As facial recognition technology continues to be incorporated into personal and corporate devices, here are three reasons why you should not rely on your face – or any single form of authentication – as your password.
Face Alone, Without Context, Is Not Sufficient
Unlike fingerprints, faces change. This can be the result of age, facial hair, illness, and/or gaining weight, it doesn’t matter – they all make it more difficult for facial recognition to work well. This is before you get into the well-documented problems facial recognition has with race and gender. Samsung is hoping to improve facial recognition by including a type of iris scanner with its latest devices. This provides additional context, but at the cost of additional hardware in a phone. The entire system is named “Intelligent Scan” and includes what the company calls Eyeprint Verification. It works by first scanning your face and then moving on to the iris if authentication initially fails. If conditions aren’t great for using either of those, it then combines them to unlock your device.
It isn’t clear from the company’s literature whether this system uses true iris scanning, which is very secure. However, it is telling that the company is choosing to include a second biometric recognition element rather than just relying on facial. This additional information provides increased confidence that the recognized face belongs to a “live” subject. It is critical that biometrics be measured with additional “liveness” information to provide context for the authentication session.
There are many sources of variations that can confuse a person’s identity. Lighting is one of them.
The fact is that changes in lighting can significantly skew images of the same individual – especially if they are not looking straight into the camera. Yes, an evenly lit face seen directly from the front would likely give you an accurate reading, but as lighting conditions can change as often as people’s expressions, this obviously doesn’t make for a very reliable system.
The cameras on the screen side of phones are significantly less powerful than those on the back. This makes them more reliant on good lighting to produce a quality image. Back lighting in particular poses a big problem. Apple’s iPhone X used special illuminators to counter this with varying degrees of success in its Face ID system. Some reviewers reported having problems using it in direct sunlight but noted that overall it performed better than expected. Again, additional context (e.g., 3D readings for a separate sensor) are used to increase confidence scores based on results from a single biometric modality like a facial image. We consider the Face ID as a single biometric, but it is actually a system with multiple sensors used to create a composite score.
Faces are Spoofable
It’s no surprise that even as technology evolves, new attacks will trick facial recognition systems. Faces just aren’t complex enough when compared to fingerprints and irises, and spoofing attacks can be either physical or digital by nature. Early versions on phones were fooled by a photograph. When the Samsung Galaxy S8 came out in Spring 2017, its facial recognition system was one of its major selling points — until it turned out the scan could unsurprisingly be tricked by simply holding an image of the person’s face up to their phone.
Apple’s Face ID system is significantly more sophisticated, as it uses 3D depth maps to register and verify the physical features of the device holder. This makes it considerably harder to fool as it requires hackers to reproduce a physical representation of a target’s face. It also uses machine learning to test Face ID against spoofing attacks, and simply analyzing an expression whenever it sees a face makes it easier to determine whether an unauthentic face is at work. Even with all that, Apple still implements another layer of security, requiring users to input a pin code to prevent someone from siphoning data from a phone unlocked with Face ID.
The pervasiveness of photographs on the Internet means that there is likely a photo of you out there, accessible to anyone who is looking for it. As phone cameras keep improving, so does the resolution of these photos. This makes facial spoofing easier for hackers. By contrast, few of us have fingerprint images available online and far, far fewer (possibly none) of us have iris or retinal scans online. Biometrics are private information, not secret (like a password).
This is why people should not rely on a single-factor for authentication, especially any system that relies solely on facial recognition. Without measuring the ‘liveness’ of your biometrics, Face ID overlooks the focus of context information. If facial recognition technology receives wide adoption as part of a multi-factor authentication approach, this will allow for stronger privacy and security in the identity ecosystem.