Are facial biometrics fit for the enterprise?

Enterprises have been exploring biometric authorization for some time, from security to payment processing, law enforcement CCTV systems, even gym entry doors. Biometrics went mass market when smartphone manufacturer introduced fingerprint access from the home screen. Fujitsu recently noted that 60 percent of smartphones shipped in 2017 had fingerprint sensors in a report in which it predicted that biometric authentication will become the standard for unlocking and driving vehicles.

Apple recently raised the game with the introduction of Face ID, a biometric face recognition system built around the face. Apple insists on using a passcode as a primary security protection to its iphones, with Face ID as a second level of authentication.

Another application you may encountering is while traveling. For instance, Singapore’s newest air terminal offers an almost completely automated check-in, bag drop and immigration system based on face recognition.

Beyond security, Caltech and Disney Research recently revealed research on a facial expression system that tries to figure out if you are enjoying a movie at the theatre; a company called Identix makes a system that can isolate a person’s face in a crowd using CCTV; banks in Macau now use facial recognition at some ATMs; and in China state authorities claim they can find a person in any of their cities in just seven minutes using facial ID.

What are the challenges of facial biometrics?

There are problems around facial biometric security, for example:

  • Apple admits that there is a one in a million chance a random person would be able to unlock your device with a glance
  • That probability is different for twins, similar-looking siblings and children. An identical twin will be far more likely to convince Face ID that they are you, even if they are not you
  • At least two security researchers now claim to have undermined Face ID protection with a mask
  • A device from a competing firm that tried to offer facial biometric security this year was fooled multiple times using photos
  • University of North Carolina researchers have been able to build a 3D model of a person’s head using his Facebook photos. They used this in a lifelike animation that fooled four out of five face recognition tools

It is important to recognize that in Apple’s model, facial biometrics is just one element to overall security protection. You must create and use a passcode alongside Face ID. That code is required before Face ID will function if your smartphone needs to be restarted or after a failed facial recognition attempt.

The implication of this should be clear: for Apple, the primary security technology remains the humble passcode. Face ID (and other forms of biometric ID) are not replacements to the passcode, just convenient companions to help users keep their data safe.

Quantum hacking

At heart, facial biometrics is a three-process technology: enrollment, storage and authentication.

  • Enrollment is the process of “teaching” a system to recognize your face
  • Storage is the process of keeping that data securely in a state to which the system can refer
  • Authentication depends on taking an image of the face and comparing it to an existing database of information about that face

Most existing systems use the 80 generally recognized nodal points on a face. (Apple’s system casts 30,000 infrared dots at your face to get and vet this information about those distinguishing areas.)

Secure storage

Storage is another issue, partially because storing people’s faces on enterprise data systems raises challenges around privacy, data protection and data sovereignty. This is no idle threat: hackers in 2015 accessed computers at the U.S. Office of Personnel Management and stole sensitive personal data about over 22 million Americans, including 5.6 million people’s fingerprints. This makes it clear that hackers are already probing biometric security databases, so enterprises investing in biometric systems must be prepared to invest in securing them.

Learning from Apple

The move to biometric in-payment services means many B2C enterprises will need to carefully consider how they choose to support these solutions.

Acuity Market Intelligence (AMI) predicts that by 2022, there will be over 1 trillion mobile transactions verified with biometrics, with a value in excess of $18 billion. MasterCard's Identity Check Mobile service will allow users to scan their fingerprints or take a selfie to validate their identity and make a payment. MasterCard claims 74% of users find biometrics easier to use than traditional passwords.

All the same, when industry leaders decide that the best way forward is to use biometrics in association with passcodes, it seems right to suggest the future of biometric authorization means multiple forms of security protection will coexist.

“The market is evolving towards a hierarchy of integrated biometric authentication methods that range from simple device-based verification to third-party biometric cloud, or server-side solutions,” said Acuity Market Intelligence (AMI) lead analyst, Maxine Most. “These solutions will replace traditional digital identity schemes and provide more secure and reliable identity assurance on a global scale.”

Orange Cyberdefense is here to protect your most valuable data assets from increasingly complex and sophisticated cyber threats. Find out more here.

Jon Evans

Jon Evans is a highly experienced technology journalist and editor. He has been writing for a living since 1994. These days you might read his daily regular Computerworld AppleHolic and opinion columns. Jon is also technology editor for men's interest magazine, Calibre Quarterly, and news editor for MacFormat magazine, which is the biggest UK Mac title. He's really interested in the impact of technology on the creative spark at the heart of the human experience. In 2010 he won an American Society of Business Publication Editors (Azbee) Award for his work at Computerworld.