Companies like Apple and Facebook are pushing facial recognition. But biometrics lack an important attribute of more traditional authentication systems.

Suresh Dakshina, president, Chargeback Gurus

Suresh Dakshina, president, Chargeback Gurus

Broadly speaking, proof-of-identity methods come in three forms: something you have, something you know, or something you are. A passport, for example, is something you have and a password is something you know. The third method, something you are, is based on biometrics, technologies that are capable of identifying you based on unique biological features such as your fingerprints, your voice or your face. The question is: what impact will biometrics have on data security? Will widespread facial recognition technology mean the end of privacy as we know it?

Biometric technologies are nothing new – police have been relying on fingerprints for over a century – but today’s top innovators have been pushing the boundaries of what this tech is capable of. Apple and Facebook have both invested heavily in this area, with Apple’s recently announced FaceID for the iPhone X and Facebook’s proprietary DeepFace, a ‘deep learning’ facial recognition system. To the dismay of Apple and Facebook, both of these technologies have been the target of some serious skepticism and concern from consumers and tech insiders alike.

Apple’s FaceID came as a surprise to many. This is due in part because of the success of TouchID, another biometric technology introduced 4 years ago. As CEO Tim Cook said himself during the iPhone X announcement, TouchID “revolutionized security and privacy” and remains the leading technology of its kind. So why has it been removed from the iPhone X?

This data must be stored somewhere and, as anyone who reads the news must know, databases get hacked all the time.

Despite their new tagline “Your face is your secure password”, Apple isn’t eliminating TouchID because FaceID is more secure (it’s not). They’re eliminating it because they wanted to win the race to make the first ‘edge-to-edge’ display smartphone. Apple abandoned the older authentication process because of the difficulty of embedding a fingerprint sensor beneath the glass screen. Since the announcement, however, digital security experts have pointed out that the new tech is at least as easy to spoof as TouchID by using photos, videos or 3D-printed masks, and that both are arguably easier for attackers to crack than a strong password.


The Impact of Facial Recognition on Consumers

Facebook’s DeepFace and other facial recognition (FR) systems have themselves been the subject of controversy. The ability of social networks and online databases to identify you from a photograph posted on the internet has raised some difficult questions about privacy and data security. But FR has its proponents as well – namely, Australian Prime Minister Malcolm Turnbull who announced plans to use FR as a key component of the country’s counterterrorism efforts.

Let’s face it, FR technologies are going to be part of our lives in some way, shape or form. We think it’s safe to say that in the payments industry, biometric security is an inevitable next step. Most consumers are comfortable with using fingerprint and voice authentication for transactions: a study from Juniper Research finds that 74% and 62% respectively would use these technologies. But facial recognition goes a step too far for most consumers: only 32% trust facial recognition for securing payments.

This question goes beyond just whether or not FR is a secure form of authentication, however. The ability to identify people based on their face alone brings a host of other concerns. FR technologies have a myriad of practical uses, from clearing people at the airport to locating missing persons and identifying known shoplifters via a store’s security cameras. But this data must be stored somewhere and, as anyone who reads the news must know, databases get hacked all the time.

Imagine this: you are at the mall, where the securities cameras identify you by your appearance and notify a database in the cloud. A hacker then breaks into the database and cross-references your identity against your driver’s license record to find out where you live. You come home to find that someone, aware the house was empty, has broken in.


Or in a less overtly-criminal example, what if you are on the market to buy a house and you meet with a real estate agent. The moment you walk into the real estate office the cameras, using FR technology, cross-reference your identity to find out your credit score, insurance record, homeowner history and any number of other personal financial details. Would you want your real estate agent to know all this before you’ve even said hello?

The fundamental difference between biometric technologies and the other two approaches – something you have and something you know – is that traditional authentication requires something essentially private. You don’t share your password with anyone and you keep your ID and credit cards hidden in your wallet, but biometrics are public and openly visible. By making it so that your secure password is ‘something you are‘, FR technologies remove one of the fundamental aspects of data security: secrecy.

Chargeback Gurus provides fraud-prevention technology that helps e-commerce companies fight chargebacks.