Is facial recognition verification really secure enough?

Officially well into the digital age, there is a wave of identity verification technologies sweeping the market, but determining whether one will strike the right balance between security and convenience for the consumer can be tricky.

Traditionally, verifying your identity for a service such as applying for credit, setting up a bank account, or transferring funds is lengthy. Often requiring visits into branch with original documents (e.g. utility bills, bank statements, birth certificate or passport), it is an inconvenient process which can take up a significant amount of time for the consumer (as well as many man hours for the business).

Digital advancements have already influenced a shift in attitudes towards identity verification and processes are beginning to change. Many businesses offer the option to scan and submit documents via a mobile device, eliminating the need to go into store, however this does mean that an additional layer would be required to verify that the user is the owner of that document. The level of importance placed on convenience and efficiency has steadily increased over the recent years, made evident by the introduction of fingerprint scanning by Apple into the consumer market in 2013, and facial recognition in 2017.

A natural progression was to include these methods into banking options, for example utilising biometrics for mobile pay or facial recognition to access online banking, but is this really as secure as it is claimed to be?

A number of financial companies have incorporated facial recognition into their identity verification processes, such as Revolut who request the user to take a selfie in combination with submitting a picture of an official ID card (e.g. driving license), and HSBC who introduced the capability for customers in China to authorize payments, transfer funds, and add new payees to their account via facial recognition.

Where facial recognition falls down

While facial recognition ticks the box of being convenient and user-friendly, there are some questions that cannot be ignored. For example, whether you could pass the facial recognition verification stage without actually being the biometric owner of the claimed identity. It has been demonstrated that it is possible to gain access to a service which requires facial recognition by presenting a photograph of the individual, which could easily have been gained from the internet.

Despite advancements in some facial recognition software – particularly in the new iPhone X which uses infrared sensors and 3D scanners to ensure it cannot be tricked by photographs, Apple has confirmed that their Face ID software would be confused by identical twins, therefore there is still a risk of impersonation fraud.

With this in mind, the sole use of facial recognition to verify a person’s identity is clearly flawed – particularly for accessing anything considered sensitive or high-risk like banking. However, it could be useful as part of a multi-pronged approach.

The Solution

While we have already discussed official documents and biometrics as methods for verifying identity, there is a third method we have yet to mention which is verifying digital data attached to the user. Offering consumers the option to leverage their digital footprint provides an additional level of security without adding friction to the user journey. Through advanced text analytics, solutions such as what Acuant offer analyse the quality, quantity and significance of data in order to corroborate a user’s identity claim in real-time, effectively and efficiently verifying that the user is the owner of the submitted document or selfie.