The security and privacy risks of face recognition authentication

Face recognition authentication
Credits: Reuters/Stephen Lam

In its latest product event, with the launch of FaceID, Apple made it clear that it’s transitioning toward making face recognition the principal method to unlock phones, and it will be ditching fingerprint authentication in its favor. Other manufacturers are making similar moves, including Samsung and Qualcomm, the smartphone chipmaker.

There’s a clear benefit to using your face to identify yourself: It’s fast and convenient. All you need to do is show your face to your phone’s camera to unlock it. In the case of Apple’s new flagship phone, you don’t even need to press a button; it will automatically detect your face as soon as you’re within the selfie camera frame.

Face recognition spares you remembering yet another passcode, and it’s certainly easier to use than pressing your thumb against the fingerprint sensor. However, more convenient does not necessarily mean more secure and private. In fact, in most cases, there’s a tradeoff between ease of use and security.

And facial recognition authentication is no exception to the rule. While the new generation of face recognition technologies are far more secure than their precedents, they have security and privacy implications you should know before you decide to select it as the main method to secure the sensitive information you store on your phone.

Identity theft

Passwords are secrets. Unless you’re extremely careless, you don’t leave them lying around or print them on your forehead, or use a string that can easily be guessed.

The same can’t be said about your face however. It’s always there for everyone to see. In fact you’re using it to authenticate and identify yourself among friends, family and coworkers all the time. Facial recognition works very well in real life because it’s always combined with other factors such as verification of voice and knowledge. Only professional con artists like Arya Stark can trick others into believing they’re someone else.

In the digital world, things are much different. Face recognition authentication appeared as early as 2009, but quickly proved to be unreliable. Hackers were able to circumvent face locks with little more than a printed picture of the account holder. Later generations of the technology incorporated “liveness” checks. But that too was easy to bypass.

The newest version of the technology, as featured in new iPhones, uses 3D depth maps to register and verify the physical features of the device holder. This new safeguard is considerably harder to fool and requires hackers to reproduce a physical representation of a target’s face. But it’s not impossible.

Forced activation

Let’s say you’re being held captive by criminals who want to force you to unlock your smartphone. If it’s locked with a passcode, they would need to force you to spell it out. For fingerprint locks, they would need to force you to press your finger against the sensor. For face recognition, they just need to hold the phone in front of your face.

Apple’s FaceID uses machine learning algorithms to analyze your expression whenever it sees your face to determine whether it’s an authentic unlock attempt. It won’t work if you’re not awake or conscious and not facing the phone.

However, Apple recognizes that face locks might be bypassed beyond the user’s will. That’s why it prevents siphoning data from a phone unlocked with FaceID unless the user enters the associated PIN code.

Data privacy

Privacy issues are among the contested topics of face recognition authentication. Where is your face data stored? Who else can access it? What else will it be used for? These are questions you have to answer before using a facial recognition authentication technology.

To be fair, if you’re an avid—and somewhat careless—internet user, there’s a likely chance that your face is already there for the taking on your social media profiles, and no company will need your mugshot. Also, anyone with a hi-res smartphone will be able to take your picture from a safe distance. However, the new 3D maps that FaceID stores might prove to be valuable data that government agencies and cybercriminals would want to lay hands on.

FaceID has another unique privacy concern. It works in an “always on” manner. It will automatically activate when it sees your face and doesn’t require a button press. This means that like Amazon’s Echo it’s constantly watching through your selfie camera. How much of that live data it stores and where it stores it is another privacy question that needs to be answered.

If your facial data is stored in a cloud server, third parties will be able to access it, with or without your authorization. Fortunately for Apple, it stores everything on the Secure Enclave of the iPhone, the encrypted hardware component that proved its mettle against government-level intrusion. It will also be solely using it for authentication purposes and doesn’t plan to make other uses of it—yet.

Future considerations

For the moment, facial recognition is being marketed as the next generation authentication technology. But it has other very tempting uses, especially as the competition between major tech companies moves from the virtual to the physical world. As they become omnipresent everywhere you go, tech companies such as Apple, Amazon and Google will want reliable ways to identify you and provide your with targeted information.

For the moment, a mobile device is the best thing that can determine your identity. But it will require you to carry it, turn it on and install a specialized app on it. By being able to identify you by your ever-present ID card—your face—tech companies will no longer need a hardware token.

Final word

My personal opinion: If you’re a security and privacy freak (like me), or if you have reason to worry to become a person of interest (e.g. if you’re an activist or investigative journalist), you’re better off using a strong passcode.

Otherwise, for the moment, it’s safe to say that new facial recognition technologies are safe and secure for average consumers. We’ll need to wait to see if it will remain so in the future.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.