Earlier this week, San Francisco’s Board of Supervisors voted to ban the use of facial recognition, the first U.S. city to do so. Local agencies, such as the city’s transport authority and law enforcement, won’t be able to use this emerging technology, and any plans to buy any kind of new surveillance technology must now be approved by city administrators.
Government officials claim that the use of facial recognition will put people’s safety at risk and hinder efforts to fight crime. Opponents to facial recognition argue that these systems are unreliable and error-prone, especially when it comes to recognizing women or people with darker skin. More importantly, critics argue that there’s a very real concern that facial recognition systems infringe on people’s privacy and represents a big overstep by government agencies. Double-plus ungood.
These concerns are not far-fetched.
Already about 200 million surveillance cameras are scattered around China to track big spenders in luxury retail stores, catch identity thieves, prevent violent crime, find fugitives, catch sleeping students in the classroom and even snag jaywalkers. In fact, nearly every one of China’s 1.4 billion citizens is in its facial recognition database.
It was recently discovered that the Chinese government have honed their facial recognition and surveillance systems in Xinjiang for industrial-scale oppression of the Muslim Uighur population, which triggered a wave of international condemnation. These systems sniff of Big Brother because this type of citizen surveillance is usually done at a distance and without the person’s knowledge or consent.
These stories might have you wondering if the use of face-based technologies for identity verification might be in jeopardy. Turns out, there are some key differences between the type of public facial recognition technology San Francisco has banned, and that which a company would use to verify the online identities of their customers for the purpose of fighting financial crime and fraud. Unlike facial recognition, face-based biometrics is permission-based and one-to-one. This means that a single biometric is captured at enrollment (to ensure the person is who they claim to be) and then recaptured to authenticate users for account logins or high-risk transactions.
Why is face-based biometrics needed today?
Sadly, more and more of our digital identities have crept into the dark web thanks to large scale data breaches — think Marriott/Starwood, Quora and Facebook. The dark web has become a safe haven for cybercriminals and fraudsters to buy credit card numbers, bank account details and software that helps them perpetrate account takeovers and identity theft. Driver’s licenses and passports — both real and fake — can also be purchased on the dark web for as little $20. This makes it difficult for online businesses to know with certainty that someone is who they claim to be online or if they’re dealing with a fraudster posing as a legitimate consumer.
We’ve also started to see a rise in spoofing attacks by fraudsters who are using a photo, video or a different substitute for an authorized person’s face in order to acquire someone else’s privileges or access rights. Unsurprisingly, it’s becoming more challenging for any online businesses to separate legitimate customers from cybercriminals masquerading as authentic users.
Unfortunately, traditional authentication methods, such as SMS-based two-factor authentication (2FA) and knowledge-based authentication, are no longer considered best practices because of reliability and security concerns (e.g., phishing attacks, man-in-the-browser exploits, etc.). That’s why modern online companies are also increasingly looking for biometric-based solutions that more reliably establish the online identity of new customers (during the account setup process) and existing users for authentication events — especially high-risk transactions such as wire transfers or password resets.
This is where face-based biometrics steps in.
Given our collective obsession with our smartphones, it’s not surprising that face-based biometrics is now taking the place of fingerprints, PINs and passwords, thanks, in large part, to Apple’s Face ID. Face-based logins from Apple and Samsung are prompting other manufacturers to include the feature in their devices. Estimates by Counterpoint Research suggest that more than one billion smartphones will have some form of a face unlock solution in 2020.
Plus, biometrics are not only far more convenient for consumers than traditional methods of online verification, they are much more secure. They cannot be hacked or duplicated. The data can be kept on the device, rather than on a server or in the cloud, and can remain secure even if the device is stolen.
That’s why it’s important to understand the distinction between facial recognition and face-based biometrics and not draw the wrong conclusions from these recent stories.
There are legitimate concerns that facial recognition systems give unprecedented power to governments to track people going about their daily lives. These systems are one-to-many — they capture your photo remotely, without your knowledge or consent, and then compared it to millions of online photos to develop a profile or track the movements of its citizens.
Face-based biometrics and authentication, on the other hand, are permission-based and provide high levels of security to a user while letting them seamlessly access their own accounts or devices. These systems are designed to protect the business and the user by ensuring that only legitimate users are creating and accessing their online accounts — not some fraudster who has stolen the credentials or ID documents of identity theft victims off the dark web.
That’s a pretty important distinction.