This article in ITPro considers the limited security associated with facial recognition and then goes on to determine that the future is in multifactor biometrics, but fails to recognize how behavioral biometrics could strengthen all biometrics:
“That business of using a photograph to pass face recognition is crucial. There’s a concept called ‘liveness’ that has a vital part to play.
Entersekt develops authentication and mobile app security that’s used in 45 countries around the world. Niel Bester the company’s SVP Products told us, “Facial recognition software must be able to not only detect the difference between your face and that of another person, but also the difference between your actual face and a picture of your face downloaded from Facebook.”
“This ability to identify “liveness” – called spoof detection – is critical if face login is to be used to protect valuable assets like your bank account,” he adds.
Thinking in layers
The key to more secure biometric login is to use your face as part of a mix of different login methods. Robert Capps, vice president, business development at NuData Security Inc., a Mastercard Company, told us that some facial recognition solutions don’t offer satisfying results. “The technology is still going through phases of development and adoption – it is important always to have a multi-layered authentication solution,” says Capps.
Entersekt’s Neil Bester agrees there’s a need for a layered approach: “There are three factors of authentication, and you want at least two different ones to be present for strong login security. So facial recognition (an inherence factor) can be employed in addition to a PIN (a knowledge factor), or in addition to a unique digital certificate linked to the user’s phone (turning the phone into a possession factor).”
“The technology is not impenetrable,” he adds. “Biometrics can strengthen login security, but it shouldn’t be the only factor (measure) of user authentication.”
The future is frictionless – but we’re not there yet
Biometric data from the face, iris, voice, and even a heartbeat are being used more and more as personal identifiers, and there is general agreement in the security industry that they are the future, where passwords and PINs are the past.
Yet there’s some way to go before we have systems that are as foolproof and reliable as we’d like.
Motie Bring, UK general manager for global enterprise eCommerce at Worldpay, believes that multifactor authentication is going to be a reliable middle ground. “Biometrics for payment authentication has been building momentum ever since the launch of Apple’s fingerprint technology, but multifactor – the use of multiple forms at once – is likely to be the way forward.
“Iris scanning, voice and facial recognition are all on the edge of entering the mainstream thanks to their ability to reduce fraud, especially because they can all be done in the background, without the consumer having to actively engage with the activity,” he adds.
That future might not be too far away. For today, though, it looks like face login should be regarded as part of the mix, rather than the whole caboodle.”
Behavioral biometrics could strengthen most other biometric use cases. It can detect how the phone is held while taking a selfie or when repeating a phrase for voice id, or even when pressing on the fingerprint reader. It can measure your gait, recognize your hand tremors and how your fingers twitch. It can even present a challenge, such as moving the cursor, to see if your response is the same. Multifactor biometrics will win out and behavioral biometrics will add layers of complexity that will stymie criminals for several years.
Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group
Read the quoted story here