Is facial recognition fit for purpose?

Facial login is getting rather trendy, and there's no doubting its allure. It's part of a move towards systems of authentication that require minimal effort which is to say, we want to log in securely, but we don't want the bother of remembering a PIN or pattern, or even go through the hassle of placing a fingertip in the right area. Why do those things when you can simply glance at a system instead?

Yet the excitement around the prospect of just looking at a device to have it unlock is tempered by the fear that face login might not be that secure. Indeed, it's more than just a fear. There are plenty of examples of facial recognition systems being fooled, including simply by using a photo.

It's probably on our phones that most of us are likely to first use face login on a regular basis, and strong security is immensely important on a device that's likely to hold the most sensitive data, including banking apps.

As plain as the nose...

Those who have incorporated facial login into their products are keen to explain the plus points. For example, Apple publishes copious amounts of information about its Face ID system, noting that "the probability that a random person in the population could look at your iPhone X and unlock it using Face ID is approximately 1 in 1,000,000 (versus 1 in 50,000 for Touch ID)."

OK, but would you want to be that one in a million who lost out? And that's not applicable for adults with twins or siblings that look like them, or for those under 13 for these groups, Apple doesn't give statistics.

And, as David Emm, Principal Security Analyst at Kaspersky Lab pointed out to us, "The problem with biometrics is that unlike passwords or PIN codes, which can be easily modified in the event of compromise, it is impossible to change your fingerprint, iris image or face - if the data is compromised once, it undermines its use for authentication and leaves you open to ID theft."

Establishing liveness

That business of using a photograph to pass face recognition is crucial. There's a concept called 'liveness' that has a vital part to play.

Entersekt develops authentication and mobile app security that's used in 45 countries around the world. Niel Bester the company's SVP Products told us, "Facial recognition software must be able to not only detect the difference between your face and that of another person, but also the difference between your actual face and a picture of your face downloaded from Facebook."

"This ability to identify "liveness" called spoof detection is critical if face login is to be used to protect valuable assets like your bank account," he adds.

Thinking in layers

The key to more secure biometric login is to use your face as part of a mix of different login methods. Robert Capps, vice president, business development at NuData Security Inc., a Mastercard Company, told us that some facial recognition solutions don't offer satisfying results. "The technology is still going through phases of development and adoption it is important always to have a multi-layered authentication solution," says Capps.

Entersekt's Neil Bester agrees there's a need for a layered approach: "There are three factors of authentication, and you want at least two different ones to be present for strong login security. So facial recognition (an inherence factor) can be employed in addition to a PIN (a knowledge factor), or in addition to a unique digital certificate linked to the user's phone (turning the phone into a possession factor)."

"The technology is not impenetrable," he adds. "Biometrics can strengthen login security, but it shouldn't be the only factor (measure) of user authentication."

The future is frictionless but we're not there yet

Biometric data from the face, iris, voice, and even a heartbeat are being used more and more as personal identifiers, and there is general agreement in the security industry that they are the future, where passwords and PINs are the past.

Yet there's some way to go before we have systems that are as foolproof and reliable as we'd like.

Motie Bring, UK general manager for global enterprise eCommerce at Worldpay, believes that multifactor authentication is going to be a reliable middle ground. "Biometrics for payment authentication has been building momentum ever since the launch of Apple's fingerprint technology, but multifactor the use of multiple forms at once is likely to be the way forward.

"Iris scanning, voice and facial recognition are all on the edge of entering the mainstream thanks to their ability to reduce fraud, especially because they can all be done in the background, without the consumer having to actively engage with the activity," he adds.

That future might not be too far away. For today, though, it looks like face login should be regarded as part of the mix, rather than the whole caboodle.

Sandra Vogel
Freelance journalist

Sandra Vogel is a freelance journalist with decades of experience in long-form and explainer content, research papers, case studies, white papers, blogs, books, and hardware reviews. She has contributed to ZDNet, national newspapers and many of the best known technology web sites.

At ITPro, Sandra has contributed articles on artificial intelligence (AI), measures that can be taken to cope with inflation, the telecoms industry, risk management, and C-suite strategies. In the past, Sandra also contributed handset reviews for ITPro and has written for the brand for more than 13 years in total.