October 18, 2016
Uber Technologies, MasterCard and the Alabama Department of Revenue are among the handful of companies and government agencies beginning to use selfies, rather than passwords, as proof of identity. Smartphone cameras take better quality photos than before and facial recognition software is more accessible and affordable, which makes this a new option. But some experts in cybercrime aren’t as sanguine, worried that this way of proving identity is riddled with both security and privacy issues.
The Wall Street Journal explains that, “facial recognition is part of the wider field of biometrics — the analysis of human physical characteristics including fingerprints, eyes and voices.”
The process begins with an app that asks the user to snap a photo of herself; software then makes “thousands of facial measurements … and converts them into a string of numbers to create a unique ID code.” The code is then compared to a reference photo, with “a highly probable match [verifying] the person’s identity.”
“People see this technology and presume that it is automatically safe, but in the end, it all just comes down to math,” said “Future Crimes” author/global security consultant Marc Goodman. “There is nothing safer about [facial recognition], except that it rules out the challenges of password management.” In fact, “shadows, low lighting or facial hair” can cripple facial recognition’s accuracy. Google was forced to apologize last year when its Photos app identified two black people as gorillas.
Facial recognition can also be hacked, and “hackers … might find biometric data more valuable — and permanent — than passwords,” since they can’t be altered. The U.S. Office of Personnel Management reports that, “in 2014 and 2015, hackers stole a total of 5.6 million fingerprints of current and former federal employees.” The OPM’s response was that, “federal experts believe that, as of now, the ability to misuse fingerprint data is limited … [but] this probability could change over time as technology evolves.”
Uber will now “periodically ask its drivers to take their own photo before accepting ride requests,” and then will run the selfies through Microsoft’s cloud-based Cognitive Services software. The company says that, although there were some mismatches, due mainly to bad photos used as reference shots, “it was able to verify the identity of 99 percent of its drivers.”
MasterCard’s new app Identity Check Mobile “encourages customers to authenticate themselves with selfies when using their credit cards online.” The program, unrolling in Europe first, sends the customer a text message during a transaction. The text opens an app that “asks the person to look into a digital frame on their smartphone,” and blink “so no one can beat the system by substituting a printed photo.” MasterCard says 92 percent of its customers in the pilot program want biometrics rather than passwords for mobile banking.
Local governments using selfie ID verification include the tax departments of Alabama and Georgia, both of which rely on an app created by MorphoTrust USA. The app compares selfies against photos in the Department of Motor Vehicles database.