Why Facial Recognition Is Not The Best Authentication Method
The world’s biggest tech companies struggle to make facial recognition technology foolproof.
Come July, Indians will be able to authenticate their Aadhaar ID through facial recognition. While it’s intended as another security layer to allay data privacy concerns, the technology is far from foolproof and can’t be used alone.
At least, that’s what the experience of technology behemoths Apple and Samsung suggests. To be sure, even the Unique Identity Authority of India said it will use the feature on a “need basis”; not as a standalone authentication method but along with an iris scan or fingerprints or a one-time password.
It’s the second such security layer that the Aadhaar-issuing authority decided to add after the Tribune newspaper’s investigation revealed that access to the database of unique numbers and addresses was being sold for Rs 500. It comes when the Supreme Court is hearing a batch of petitions challenging the validity of Aadhaar and the government’s decision to make it mandatory for public services.
The facial recognition feature is particularly targeted at the old and those with worn-out fingers. The UIDAI in a circular said that the photo taken at the time of Aadhaar enrolment will be used and there’s no need to capture any new reference data. That implies a photo of your face that was perhaps taken years ago on a low-resolution camera will be used for authentication.
The authority highlighted how cameras are now ubiquitous on laptops and mobile phones, making facial authentication by authorised user agencies “easily feasible without needing any additional hardware”.
Implementation will be key, particularly when flaws in the technology have been exposed.
Apple Face ID
Apart from its nearly bezel-less OLED display and hefty price tag, Apple’s anniversary edition iPhone X unveiled last year grabbed the headlines for replacing the Touch ID or fingerprint sensor with facial recognition or Face ID. The tech giant boasted at the launch and in a white paper that how it was the safest such implementation on a consumer tech device and there was only a one-in-a-million chance that someone could spoof its facial recognition algorithm on the iPhone X.
The phone’s front TrueDepth camera projects 30,000 dots on the face to create an elaborate 3D map, which gets more accurate each time a user looks at the device. Apple said the device will be able to spot the user and unlock even if a facial feature changes. So, it shouldn’t be a problem if you get a beard, wear a pair of shades or a new cap.
The claims were soon put to test. A Vietnamese cybersecurity firm, Bkav Corporation, came up with an intricately designed 3D-printed face mask to unlock the iPhone X. It worked.
“Security should be approximate to absolute, and AI should only be a supplement, not the sole security base for Face ID like the way Apple is working on,” said Bkav’s Chief Executive Officer Nguyen Tu Quang said in a blog. “AI, in any way, is now still human-made and it does at its best based on the experience of its creators and trainers. Thus, anyone who is more experienced than the creator can bypass it.”
It took his firm just a few hours and $150 to come up with the face mask. And the firm still believes that fingerprint is the most efficient mode of authentication.
Samsung: Point to Note
Samsung beat Apple to launching a phone with facial recognition feature. It didn’t work out too well for the Korean giant either. The Galaxy S8 and the Note 8 could be easily opened with something as elementary as a photo of the device’s owner. But, then again, the company kept two security features intact on the device—iris scanner and fingerprint sensor.
Companies like OnePlus didn’t miss the bandwagon. And while its facial unlock feature works, a company spokesperson told BloombergQuint that it only introduced it for the convenience of its users. That’s because the company moved the phone’s fingerprint sensor to the back of the device and so wanted to ensure customers get an additional way to open the device from the front. It was never advertised by the company as a security feature per se.