By Abrar Siddiqui, Vice President of Engineering at Callsign
Facial recognition is increasingly being used to verify and authenticate users in different settings, whether it’s to unlock phones, gain access to online bank accounts or government services, or even at airports to verify users and eliminate passport lines. We’ve seen its applications in various industries ranging from public transportation and healthcare to law enforcement and government services. Moreover, in 2021, the UAE government announced that it would use facial biometrics technology to allow citizens and residents to register for “UAE Pass,” a first-of-its-kind digital national ID.
An increasing number of regional companies and governments are looking to facial recognition to verify and authenticate users in other scenarios.
Currently, the way we authenticate or verify identities isn’t working, digital identity is broken. In the real world, we recognize people based on their traits, such as their face or voice, but online, it’s more challenging to confirm identity and easier for fraudsters to claim to be someone they aren’t.
We’ve seen numerous data breaches, where consumer information is stolen and subsequently sold on the dark web, where fraudsters can quickly obtain and use login credentials in bulk. We’re also experiencing a rise in the use of synthetic identities demonstrating how broken digital identity is.
With this context, many firms are turning to facial recognition as a first step in enhancing their digital identification, verification and authentication strategies. However, as a stand-alone approach, it has flaws and can be the single point of failure in the verification or authentication process.
First, it’s critical to understand the distinctions between verifying and authenticating a user. When facial recognition technology verifies a user, it identifies the user’s face, analyzes it, and compares it to static information provided, such as an identity card.
After identity has been verified, authentication occurs when a customer’s identity is confirmed by requesting additional credentials to allow access to services – for example, personal information such as a password or pin.
Facial recognition, and biometrics in general, function well as a verification method. For example, when creating a new bank account, consumers realize that they will need to verify their identity, and biometrics is an adequate means to do so.
However, counting on facial recognition for authentication or authorization purposes later in the online user journey may not be acceptable for several reasons.
1. Inherent biases
One well-publicized problem with using facial as an authentication or authorization mechanism is that it can exclude segments of the population. The widely publicized problem with Uber’s use of facial recognition to allow drivers to access the app had far-reaching unintended repercussions due to racial or religious bias and technological elitism.
2. Friction
Physical biometrics might potentially jeopardize customer experience. In some circumstances, friction is necessary. For example, customers may find it reassuring to be asked to reconfirm their identification before authorizing the transfer of a significant sum of money.
But if a facial ID is required every time a user buys something from an online merchant, they’ll most likely switch to another brand where it’s easier and faster to complete a purchase.
3. Security
Facial biometrics have security restrictions as well. Using a single photo as authentication can lead to fraudsters falsely claiming that their biometrics systems are broken to avoid the authentication procedure. Fraudsters are also aggressively researching methods to trick facial recognition technology.
4. Lack of privacy
While the concept of facial recognition as a unique identifier to authenticate with is recognized, consumers don’t understand that it is intrusive and invades people’s privacy. A user’s face is their personally Identifiable Information (PII), so permission is required to collect, store and process this in many countries. Because of this, many people may choose not to authenticate themselves using this form of ID because they want to know what is happening to their data.
5. Single point of failure
Finally, employing facial recognition as an authenticator requires asking a closed question. For example, “Is this the user’s face?”. It’s a yes or no question, but what happens if the computer or phone doesn’t recognize the user? Often, there is no alternative way for the user to verify and proceed with their user journey (as was the case with Uber), emphasizing the issue of employing facial recognition as a single point of failure.
Unfortunately, when there is a backup plan, it is frequently a retreat to passwords and pins, which are weak and easily compromised – often why security was stepped up to the seemingly more robust form of facial recognition.
So, what’s the answer? While facial recognition has its place, it must be stacked with additional data points to ensure that the authentication process does not have a single point of failure. Behavioral biometrics is one method of doing so.
Behavioral biometrics such as swiping or typing actions are incredibly difficult to imitate and compromise. Consumers’ physical interactions with their gadgets, such as the angle at which they hold their mobile device, their typing cadence, the pressure they apply, and even mouse movements, are analyzed using machine learning technology.
These inputs create a unique model of a customer’s “typical” behavior and provide comparisons for future interactions. If a customer’s behavior deviates from the expected “average,” each access attempt is flagged as possibly fraudulent and might be escalated, requiring additional authentication or being blocked entirely.
By integrating behavioral biometrics with other intelligence such as device and location data, businesses can ensure there is no single point of failure if something doesn’t look quite right.
Organizations and governments will continue to adopt facial recognition and other static biometric technologies; However, to safely authenticate users without jeopardizing the user experience, organizations should not rely solely on facial recognition as a form of authentication.