Simple face-based 2D biometrics has its weaknesses - but 3D video could be more fool-proof to stop fraudsters
It has revolutionised the way we log into smartphones and Apple Face ID is set to be rolled out to more devices – but questions marks remain over the level of security it provides. Reinhard Hochrieser, vice-president of product management at identity verification company Jumio, discusses how the facial recognition technology could be improved in identity-proofing.
Since its inception in 2017, Apple Face ID has completely changed how users access their mobiles.
Arguably, it is one of the most revolutionary features Apple has introduced in the last three years and helped improve Apple’s security significantly.
Face ID has allowed users to be secure in the knowledge their personal mobile devices now have more protection than other products or applications on the market, which typically only use a traditional password, PIN number or memorable question as their level of protection.
All of which have been compromised in the last 18 months, following cyber-attacks on major websites such as Facebook, Quora and Marriott, that have resulted in billions of consumers having their personal information published on the dark web.
However, Face ID still has its limitations and pitfalls that can be abused by cyber-criminals.
How does Apple Face ID work?
When the user first accesses their new iPhone, Apple uses a TrueDepth camera to capture an image of the users’ face and assigns it to their personal Apple ID, their email address.
Apple then transforms this “selfie” into a mathematical representation that is stored on the user’s device, rather than in a central cloud database.
This storage solution is one of the primary reasons Face ID is so secure.
With Apple not having access to this image, would-be cyber-criminals can’t retrieve a whole bank of images should they break into its system.
Unlike with the recent FaceApp phenomenon, whereby images and subsequent data is owned by the makers of the app and associated with the individual’s name.
This ultimately makes these images susceptible to abuse by cyber-criminals, should they successfully obtain this information from the app makers in the future.
Following the initial identification process on the iPhone, the user’s initial selfie is stored on the device, and future access to the device is only possible though the analysis of the live image compared to the stored mathematical copy of the original image.
The benefits of the TrueDepth camera is its ability to analyse a 3D image, rather than a simple 2D image, which is the limit of other verification cameras.
TrueDepth’s ability to factor in depth sets it apart and provides that extra level of security to Apple product users.
So where do the weaknesses lie in the Apple Face ID security?
Putting aside the benefits, there are a number of weaknesses of Face ID, primarily with the initial verification stage.
At set-up, users associate their selfie with their Apple ID – their email address.
But what stops a fraudster from using someone else’s email address to set up a phone?
By not having a government-issued ID associated with an account, there is no trust anchor for an account to validate who the user says they are.
Ultimately, this allows a fraudster to use someone else’s email address to access an iPhone and any subsequent apps.
What’s more, with financial organisations starting to adopt Face ID as a way of authenticating the user and Face ID being the primary way of validating an Apple Pay purchase, these fraudsters can make purchases using their own face – but someone else’s email address.
Of course, this is a high-risk method of fraud, as the cyber-criminal is continuously taking a photo of their face.
But with no cloud database storing these images, it is still hard to be caught.
How to ensure security in identity verification
Simple face-based biometrics has its weaknesses. Take two identical twins and a simple face-based biometric system, and the system may authenticate the wrong twin and allow them access to a device or account.
However, it is very rare these twins are entirely identical.
Perhaps they appear to be in a 2D image, but a 3D live video will showcase their subtle, but permanent, differences.
Using liveness detection technology and a trust anchor – in this case a government-issued ID – a user can be validated and the company can be sure that they are who they say they are.
Although a vital part of the ongoing authentication process, sadly the majority of financial institutions still rely on traditional authentication processes for customer identity proofing such as KYC and 2FA – which we know are not capable of providing the security needed. Especially for high-risk financial transactions.
Apple Face ID is an improvement, yes. But, without a trust anchor, would-be cyber-criminals are able to hijack the identity verification process at the outset and use their own faces for future authentication, thus mitigating the security features of Apple’s Face ID.