Passwords are passé. Biometrics are the future of authentication technology. That argument is all but over; now the question has moved on to “Which specific biometric technology is best in the business environment?” 

Facial recognition is getting a whole lot of love from hardware vendors lately, with Microsoft building it into Windows with its “Hello” implementation and Samsung introducing native facial unlock for its smartphones with the debut of the Galaxy S8. But how secure is it, really? What are its strengths and weaknesses? And since all facial recognition software isn’t created equal, which can you trust?  And are there better bio alternatives?

Why facial recognition?

Let’s face it: one of the first ways we learn to differentiate between friend, foe and stranger is by looking at a person’s face. Studies have indicated that babies respond to human faces before they learn to recognize other objects. The face is the primary non-verbal means of expressing emotion. There is even a specific area of the human brain, called the fusiform face area (FFA) that is believed to be dedicated to facial perception; when it’s damaged, a person is unable to recognize familiar faces.

Most humans have the same basic components: eyes, nose, mouth, forehead, chin … and yet – aside from identical twins – it’s rare for two to look exactly alike. Our faces are far more unique than those of other member of the animal kingdom, and scientists speculate that we evolved that way for a reason: we are far more visual. This is a good thing, since otherwise we might have to go around sniffing one another to identify who’s who, as dogs do.

In addition to twins who share the same DNA, occasionally you’ll run across two unrelated people whose faces are remarkably similar. Some say every one of us has a doppelganger, or “double,” somewhere in the world.  A more scientific analysis, however, places the probability of an eight-point match at lower than one in one trillion. Even with identical twins, if you look very closely, there are physical differences (this is the reason mothers of identicals are often able to tell them apart, even without vocal and behavioral cues).

When it comes down to it, then, our individual faces can be considered technically unique, even though two may be close enough to the same to fool most observers. Unique characteristics form the best basis for verifying a person’s identity, so facial recognition is a natural in this regard.

Many device makers are now beginning to incorporate facial authentication due to the convenience factor; it’s simply easier to look at a camera than to position your finger correctly on a fingerprint scanner, which in turn is a lot easier than typing in a username and password, especially on a tiny phone keyboard.  

Facial recognition makes use of hardware that the vast majority of phones, and now most tablets and laptops, already have : the camera. This makes it relatively easy to add the feature without much additional cost.

Many people also see facial recognition as less invasive and thus less of a privacy issue than fingerprinting. Since we show our faces in public all the time, having our facial features stored in a database doesn’t (at least for some) raise the same concerns as having our fingerprints “on file.”  For all these reasons, face-based authentication is growing in popularity.

Popular implementations

Over the years, a number of computer vendors have tried facial recognition as a means of authentication. Lenovo, Asus and Toshiba all had facial recognition systems (Veriface, Smart Login and Toshiba Face Recognition) on some of their computers as long as a decade ago. Not until recently, however, has the idea really started to catch on.

Samsung’s just-released Galaxy S8 and S8+ smart phones tout facial recognition as one of their exciting new features, but it has already come under fire from both sides: those who say it doesn’t unlock their phones for them and those who say it will unlock the phones too easily and can be fooled just by holding up a photograph of the authorized user to the phone’s camera.

I tried out the feature “just for fun” when I got my S8, and found that both complaints had validity. It was very unreliable (and slow) about recognizing my face, and I did indeed get it to unlock once with an 8×10 head shot of myself, although it didn’t work with smaller photos such as my passport picture.

The Smart Lock facial recognition feature isn’t limited to the S8 phones. It’s built into Android and is also available on Chromebooks.

Microsoft’s Windows Hello on my Surface Pro 4, on the other hand, works very well – even in low light situations, when I have my hair arranged differently, and whether or not I wear my glasses. I’ve had zero false positives; it rejects even the face of my daughter, who looks a lot like me, and my attempts to authenticate using the same 8×10 photo, and numerous other photos, all failed.

I use Hello every day, and really appreciate the convenience of being able to sit down at my computer, look at it, and get the “Welcome” message indicating I’ve been recognized. I’m not the only one who has found it impressive, either. That said, I work at home where physical access is completely controlled. If I were in a high risk environment, or if I had highly sensitive data on the device, I would switch to more secure method of unlocking the computer (and in fact, have done so when traveling).

These are only a couple of the devices that are coming out with facial recognition support, and my experience with the two shows that some implementations definitely work better than others. I expect the technology to improve as it matures, but it still has a way to go before we can consider it the best biometric authentication method. Before we look at the current flaws, though, let’s take a brief detour to explore how facial recognition works.

How does facial recognition work?

The neuroanatomy of facial processing by the brain is much too complicated to address here, but suffice it to say it involves many more areas working along with the FFA. Computer software processing of facial features is easier to explain and understand. Typically, an image of the face is compared to images stored in a database, using one of several methods that include geometric or photometric algorithms. Three dimensional sensors can be used to capture more information and improve accuracy.

Although the concept in some form has been around for decades, facial recognition as a means of biometric authentication is just recently finding its way into the mainstream, after many years during which fingerprint authentication reigned supreme in that arena.

Facial recognition software typically uses something called an eigenface, which is a numeric representation of the face derived from measurements and shapes of the facial features. This is stored on the device or on a smart card or token. When a user then attempts to log on, the software goes through the same process and compares the new eigenface with the stored file to verify identity and authenticate the user.

The basic steps in face-based authentication include:

  1. Image capture
  2. Face detection
  3. Feature extraction
  4. Comparison/Match

There are a number of different approaches that can be taken: geometric (based on distances and angles), principal component analysis (uses eigenvectors and eigenvalues), independent component analysis and linear discriminant analysis (appearance-based approaches that are similar to PCA), local features analysis and local binary pattern methods, as well as 3D Face Recognition.

Delving into the technicalities of each is beyond the scope of this article. Whatever the method, it’s important to be aware that facial recognition, like any other means of authenticating identities, has its drawbacks along with its advantages. Accuracy can be affected by such factors as lighting, the quality of the camera used to capture the image, the image processing software, and more. Most of these can result in false negatives – authorized users not being recognized. But the more worrisome issue is false positives – allowing unauthorized users to gain access.

Is it secure enough?

Now we get down to the crux of the matter: how secure is facial recognition as an authentication method? Obviously, based on the fatal flaw in Samsung’s Smart Lock feature mentioned above, in at least some cases the answer is: not very. But can it be made to be secure enough for your business?

In answering that question, you have to ask another: how secure is secure enough? That’s going to depend on a number of variables, such as the environment in which your users use their devices and the nature of the data stored on those devices and/or accessible via those devices’ connections to the cloud. The second part of the answer is that it depends on the implementation of facial recognition being used.

Microsoft claims their Windows Hello software can even distinguish between identical twins. It reportedly uses infrared to map the ridges in the skin. Other sophisticated systems use 3D and map your bone structure, making it impossible to fool them with a flat photo.

Of course, when our faces become our passwords, we need to consider that we are, in essence, sharing our password with the world anytime we let someone take our picture or post a selfie on Facebook. A determined hacker may be able to use multiple photos to construct realistic three dimensional images that can fool even the better facial recognition systems. On the other hand, traditional passwords are breached all the time.

When a high level of security is required, no single-factor authentication method is enough. The safest way to use facial recognition or other biometric authentication is in combination with a password or PIN. Unfortunately, this negates some of the convenience that makes facial recognition attractive to users in the first place. It does still address some of the drawbacks of other multi-factor methods such as tokens and smart cards, since the user can’t literally lose face.