The Pragmatist’s Approach to the Application of Facial Recognition
Biometric authentication has benefits and drawbacks. A layered verification approach works well to cover for its shortcomings.
Biometric authentication has been making headlines for years now as a way to bring convenience and better security to authentication. Its use of fingerprints, iris recognition, and facial recognition technology is widely used in smartphones, computers, and even cars for access control. However, no authentication factor, including biometrics, is a silver bullet. Organizations must take a layered approach to account security.
There are two central facial recognition systems, one-to-many (1:N) and one-to-one (1:1). This post will focus on 1:1 recognition, which involves comparing the submitted biometric data to a single recorded template. It is used to determine whether a person is who they claim to be and is most often applied to digital authentication. One-to-one verification is generally more accurate and has a lower false match rate than one-to-many identification.
Facial recognition has many benefits. It is fast and easy, reducing user friction, adding account security, and being contactless, a critical feature in a post-pandemic world. Some regard the technology as a standalone solution that can leave organizations susceptible to vulnerabilities.
The unfortunate reality is that all systems are hackable. This is why taking a layered approach to account security, with each layer providing a different defense, is a best practice when defending against account takeover.
Below I’ll explore the accuracy of facial biometric authentication and recommend complementary signals that work well to strengthen biometric account security strategies.
While facial biometrics is generally reliable, it may be affected by factors such as poor lighting or changes in a person's appearance. These reliability issues lead to the most significant potential drawbacks of using facial biometrics - it sometimes fails to identify a person accurately. Metrics like "false match" or "false non-match" measure accuracy.
A false non-match occurs when the system fails to recognize a person's face, even though it should have been able to do so. A false non-match can happen for various reasons, such as poor lighting, changes in a person's appearance over time, or the use of disguises.
A false match, on the other hand, occurs when the system mistakenly identifies another face as a match. False matches happen if there are similarities between the two faces, such as similar facial features or hairstyles. As a consequence, a false match can lead to fraud.
Let’s look at the metrics. For 1:1 authentication, NIST reports that facial biometrics for wild images (closest to a real-world mobile authentication scenario) had a False Match Rate (FMR) of 0.01% (1 in 10,000) with a 3% False Non-match Rate (FNMR) or False Rejection Rate. It's important to consider that the NIST test represents the best-case scenario, which is that the pictures are of the best possible quality, so these metrics represent the theoretical maximum accuracy of the solution.
For comparison, Incognia conducted a study that found its location verification solution achieved an FMR of 1 in 17 million, which is 1,700 times more accurate than facial biometrics using wild images (the dataset that most closely simulates real-world scenarios). Compared to the best facial recognition result using the VISA image database, which is a more well-taken photo with perfect lighting conditions and high resolution, location verification was 17 times more accurate with ten times better false non-match rate.
Practically speaking, the results delivered in a production scenario are what matters and are subject to change depending on the attack vectors faced. But practical accuracy is directly related to theoretical accuracy because it determines how hackable a solution is. The lower the accuracy of an algorithm, the easier it is for an attacker to create a model that can bypass it.
In a recent article about the security of biometric systems featured in The Computer World, columnist Evan Schumann takes a hardline. He begins his essay with strong statements, including "biometrics are falsely seen as being very accurate" and "the only universally positive thing to say about them is they're better than nothing.” He bases his argument on a report published by Roger Grimes, a defense evangelist at KnowBe4 who is the author of over 30 books on cyber security. In the article, Grimes discusses the National Institute of Standards and Technology (NIST) evaluation ratings for biometric systems.
He writes, "So far, none of the submitted candidates come anywhere close," summarizing the NIST findings. "I have been involved in many biometric deployments at scale. We see far higher rates of errors — false positives or false negatives — than even what NIST is seeing in their best-case scenario lab condition testing. I routinely see errors at 1:500 or lower."
Evan concludes his article by saying, "In short, biometrics is a fine convenience. As a security defense, most of today’s implementations don't cut it."
Whether you believe the numbers or not, there are real and present threats to accounts using biometric authentication as a single factor. There are several ways in which attackers may attempt to spoof facial biometrics with liveness detection, including:
- Presentation attacks: Presentation attacks on facial recognition systems involve attempting to deceive the system with fake or manipulated images rather than live faces. These are directly related to biometric systems' accuracy and liveness detection processes.
- Injection attacks: Injection attacks on facial recognition involve introducing fake or manipulated data into the facial recognition system to deceive or disrupt its operation. Similar to presentation attacks, these are also related to biometric systems' accuracy and liveness detection. Injection attacks are also easier to carry out in a remote authentication scenario, such as authenticating to mobile apps.
- Man-in-the-middle (MiTM) attacks involve social engineering the victim into clicking on a malicious link or accessing a rogue website or app connected to the victim's intended site. Once the biometric information is shared, it is sent by the rogue site to the attacker, who can input it into the legitimate website or app. MiTM attacks are more susceptible to remote biometric authentication solutions.
- Breach of vendor database: This involves directly attacking the database of the biometric authentication vendor to access sensitive user data.
Complementary authentication factors for increased security
For most account security, a layered approach is critical. While biometrics undeniably offer enhanced protection, it should not be used as a single authentication factor and is more robust when combined with other authentication methods. Risk-based signals, such as location verification, behavioral biometrics, and device fingerprinting, complement biometrics well. Seamlessly integrating diverse authentication forms into your application allows you to maintain top-notch account protection while optimizing user experience.
Consider the following complementary signals:
- Location verification: Location verification is a process used to confirm a device's or person's physical location. This is often used for security purposes, such as to verify that a person is who they claim to be or to ensure that a device is being used in an authorized location. Another key aspect of location verification is its continuous verification, which it increasingly difficult for attackers to impersonate the user. This method offers the highest accuracy compared to the other factors.
- Device fingerprinting: Mobile device fingerprinting is a technique used to identify and track internet-enabled mobile devices, such as smartphones and tablets, by collecting and analyzing the device's unique characteristics. This is often used for security purposes, preventing fraud or unauthorized access to online accounts.
- Behavioral biometrics: Mobile behavioral biometrics uses unique behavior patterns on a mobile device, such as how a user swipes or types on the screen, to verify the user's identity. It may be more expensive to implement and maintain than other methods of verification due to its lower accuracy, requiring long tuning cycles.
Overall, the specific security systems used in combination with facial biometrics will depend on the particular needs and requirements of the situation. Biometric authentication is widely used and, when implemented correctly, can be a solid layer of security. However, no one factor should be considered the silver bullet for account security. A layered approach that uses multiple factors, including biometrics, is the best way to protect your accounts.