The modern workspace is enduring a momentous amount of change, driven largely by needs associated with digitisation, real-time interaction and improving customer experience.
Mobility is at the heart of this change and the mobile device is seen as the entry point, proving to be an invaluable tool while at the same time creating challenges around security and governance.
Globally, enterprises have been exploring biometric authorisation for some time, from security to payment processing, law enforcement CCTV systems, and even office, building and gym entry doors. Biometrics went mass market when smartphone manufacturers introduced fingerprint access from the home screen.
In a recently released report, Fujitsu noted that 60 percent of smartphones shipped in 2017 were equipped with fingerprint sensors. In the same report, the multinational also predicted that biometric authentication will become the standard for unlocking and driving vehicles in the future.
Apple recently raised the game with the introduction of Face ID, a biometric face recognition system built around the face. Apple insists on using a passcode as a primary security protection to its iPhones, with Face ID as a second level of authentication. Another place you may encounter this technology is while traveling.
For instance, most air terminals are now offering an almost completely automated check-in, bag drop and immigration system based on face recognition.
Being a “window to the soul” according to some psychologists, the human face is a rich source of information about a person. In particular, gender and age are facial traits, which are useful in many practical scenarios. Imagine an automatic vending machine equipped with a simple camera, which prevents minors from buying alcohol or tobacco, or a humanoid robot that uses the proper form of salutation depending on the gender of a person.
Today, automatic gender recognition and age estimation are already broadly used in commerce to profile the customers who are interested in certain products and to eventually target the advertisements. For example, this is the case for border control when an old passport portrait might be aged to better match the actual age of the passport’s owner, or for police applications, when only a juvenile photo of a researched individual is available.
“Facial recognition is now widely preferred over other biometric technologies, due to its non-contact process and easier deployment and now that Apple has introduced this, it would not be long before we see leading industries capitalising on this as an authentication factor” explains Sudhir Juggernath, Head of Orange Applications for Business, at Orange Business Services.
For instance, banks in Macau now use facial recognition at some ATMs; and in China state authorities claim they can find a person in any of their cities in just seven minutes using facial ID.
FNB was the first bank in South Africa to introduce a mini-ATM that uses biometrics as a means of validation for consumers, through it’s TouchPoint solution. TouchPoint validates a customer’s identity by scanning a fingerprint placed on the biometric reader.
This technology will further accelerate the use of facial biometrics to access banking services locally. The TouchPoint device has been successfully piloted in Gauteng since November 2017, with further expansion being seen in various branches, and even in community retailers in rural areas across South Africa. “FNB, in the same breath, released the option to open an account with a selfie; who would have imagined this?” says Juggernath.
To replace South Africa’s manually operated and out-dated Home Affairs National Identity System (HANIS), the automated biometric identification system (ABIS) was introduced. The ABIS was launched in May this year, and offers a single view of citizens across the life cycle and their status change at various stages.
While these examples show positive development in the local space when it comes to this technology – it is important to look at the challenges of facial biometrics.
There are certainly some challenges around facial biometric security that cannot be ignored. For example:
- Apple admits that there is a one in a million chance a random person would be able to unlock your device with a glance.
- That probability is different for twins, similar-looking siblings and children. An identical twin will be far more likely to convince Face ID that they are you, even if they are not you.
- At least two security researchers now claim to have undermined Face ID protection with a mask.
- A device from a competing firm that tried to offer facial biometric security this year was fooled multiple times using photos.
- University of North Carolina researchers have been able to build a 3D model of a person’s head using his Facebook photos. They used this in a lifelike animation that fooled four out of five face recognition tools.
It is important to recognise that in Apple’s model, facial biometrics is just one element to overall security protection. Users create and use a passcode alongside Face ID, and that code is required before Face ID will function if your smartphone needs to be restarted or after a failed facial recognition attempt.
The implication of this should be clear: for Apple, the primary security technology remains the humble passcode. Face ID (and other forms of biometric ID) is not to be seen as a replacement to the passcode, rather a more convenient way to help users keep their data safe.
At heart, facial biometrics is a three-process technology: enrolment, storage and authentication.
- Enrolment is the process of “teaching” a system to recognise your face.
- Storage is the process of keeping that data securely in a state to which the system can refer.
- Authentication depends on taking an image of the face and comparing it to an existing database of information about that face.
Most existing systems use the 80 generally recognised nodal points on a face. (Apple’s system casts 30,000 infrared dots at your face to get and vet this information about those distinguishing areas.)
Storage is an issue, partially because storing people’s faces on enterprise data systems raises challenges around privacy, data protection and data sovereignty.
This is no idle threat: hackers in 2015 accessed computers at the U.S. Office of Personnel Management and stole sensitive personal data about over 22 million Americans, including 5.6 million people’s fingerprints. This makes it clear that hackers are already probing biometric security databases, so enterprises investing in biometric systems must be prepared to invest in securing them. The National Institute of Standards and Technology, in 2017 estimated error rates to be declining by 50% every two years due to improving biometric security and storage technologies.
The move to biometric in-payment services means many B2C enterprises will need to carefully consider how they choose to support these solutions.
Acuity Market Intelligence (AMI) predicts that by 2022, there will be over 1 trillion mobile transactions verified with biometrics, with a value in excess of $18 billion. MasterCard’s Identity Check Mobile service will allow users to scan their fingerprints or take a selfie to validate their identity and make a payment. MasterCard claims 74% of users find biometrics easier to use than traditional passwords.
According to a report released in 2017 by the South African Banking Risk Information centre, credit card fraud rose by 44% in 2017. This could present an opportunity for facial biometric to become part of the payment process in the country.
All the same, when industry leaders decide that the best way forward is to use biometrics in association with passcodes, it seems right to suggest the future of biometric authorisation means multiple forms of security protection will need to coexist.
Security is not all about deploying the right technology; enterprises, people and processes are vital in identifying and preventing modern sophisticated security threats. “The market is evolving towards a hierarchy of integrated biometric authentication methods that range from simple device-based verification to third-party biometric cloud, or server-side solutions,” said Acuity Market Intelligence (AMI) lead analyst, Maxine Most.
“These solutions will replace traditional digital identity schemes and provide more secure and reliable identity assurance on a global scale.”