Leaving the office last week to grab some lunch, I passed an acquaintance on the way out of the building. I, naturally, smiled and said a friendly hello.
Except it wasn’t an acquaintance. It was someone I’d never met before: Norway’s Prime Minister, Erna Solberg.
This is likely to be a common experience for Ms Solberg, her face instantly recognisable to anyone in Norway that see her frequent appearances in newspapers and on television. Out of that context, people will recognise her and say hello before realising that they don’t actually know her.
This regular faux pas is thanks to the human brain’s incredible recall for human faces – even seeking out faces where there are none, as the ‘Inanimate Objects with Faces’ Tumblr shows.
This recall of faces is thanks to the evolutionary importance of our social networks, giving us brains ‘hard-wired’ to recognise people and link them to their past actions – are they friendly? A threat? So it’s no surprise that facial recognition as an authentication method (also sometimes called ‘selfie authentication’) is gaining popularity as a way to make sure that people prove who they say they are. People understand facial recognition, as they do it every day.
Earlier this year Mastercard introduced a process where a push notification is sent to a user’s phone if they are buying from a participating merchant. The customer is asked to open the Mastercard app and hold their phone up in the traditional selfie pose, though with a little less pouting than normal. They then blink (to prove that they are a person and not a still photo) and take the picture.
It’s an appealing way to prove your identity – passwords can be guessed, PINs stolen, but only you have your face.
Financial services providers who implement this technology do need to be careful – like any authentication technology, there are those who are looking to subvert it for profit. Back in 2011, it was possible to use a simple photo to unlock an Android smartphone. But more recently, a short video featuring a person blinking was good enough to fool a banking app. There was no need for high tech Mission Impossible-style latex masks or the ‘scramble suit’ of Philip K Dick’s ‘A Scanner Darkly’ – a smartphone video was the only thing needed to gain access to a bank account.
The issue with facial recognition is that our face is almost certainly the most public thing about us. We can keep PINs and passwords hidden, and while it’s possible to steal fingerprints, it does require a certain level of subterfuge. Meanwhile our Facebook and Instagram accounts have our faces all over them.
Luckily, facial recognition is more sophisticated than it was, with texture analysis and dynamic perspective techniques ensuring that only real faces can be used to authenticate, and videos and photos can’t be used to subvert the technology. These advances mean that financial services providers can be much more confident in facial recognition as a way to authenticate transactions and access accounts. Facial recognition also has the advantage of using technology that every smartphone has – a camera. Fingerprint sensors may be becoming more widespread, and Samsung’s new iris scanner may impress once the device it’s attached to is no longer likely to explode, but neither will feature on smartphones anytime soon.
Nevertheless, facial recognition alone remains a single factor, and a single factor is never enough for high-risk transactions, whether it’s a face, voice, fingerprint, PIN, or password. Financial services providers need to adopt a different mindset to authentication – the question is not what authentication method should be used to access an account, but what risk is involved in this transaction and what combination of authentication factors gives the right balance between security and usability. So proof of possession of an enrolled smart-phone might be enough for a balance check, but additional verification of your facial biometrics is needed for setting up payments, and PIN is required for cross-border money transfer.
Despite our own day-to-day reliance on facial recognition, it is not on its own the solution to authentication. But it is part of the solution.