23 September 2017
Thomas Jorgensen

Omnichannel banking

Thomas Jorgensen - Encap Security

4Posts 21,031Views 0Comments

The Norwegian Prime Minister, facial recognition and risk scoring

27 September 2016  |  4088 views  |  0

Leaving the office last week to grab some lunch, I passed an acquaintance on the way out of the building. I, naturally, smiled and said a friendly hello.

Except it wasn’t an acquaintance. It was someone I’d never met before: Norway’s Prime Minister, Erna Solberg.

This is likely to be a common experience for Ms Solberg, her face instantly recognisable to anyone in Norway that see her frequent appearances in newspapers and on television. Out of that context, people will recognise her and say hello before realising that they don’t actually know her.

This regular faux pas is thanks to the human brain’s incredible recall for human faces - even seeking out faces where there are none, as the ‘Inanimate Objects with Faces’ Tumblr shows.

This recall of faces is thanks to the evolutionary importance of our social networks, giving us brains ‘hard-wired’ to recognise people and link them to their past actions – are they friendly? A threat? So it’s no surprise that facial recognition as an authentication method (also sometimes called ‘selfie authentication’) is gaining popularity as a way to make sure that people prove who they say they are. People understand facial recognition, as they do it every day.

Earlier this year Mastercard introduced a process where a push notification is sent to a user’s phone if they are buying from a participating merchant. The customer is asked to open the Mastercard app and hold their phone up in the traditional selfie pose, though with a little less pouting than normal. They then blink (to prove that they are a person and not a still photo) and take the picture.

It’s an appealing way to prove your identity – passwords can be guessed, PINs stolen, but only you have your face.

Financial services providers who implement this technology do need to be careful – like any authentication technology, there are those who are looking to subvert it for profit. Back in 2011, it was possible to use a simple photo to unlock an Android smartphone. But more recently, a short video featuring a person blinking was good enough to fool a banking app. There was no need for high tech Mission Impossible-style latex masks or the ‘scramble suit’ of Philip K Dick’s ‘A Scanner Darkly’ – a smartphone video was the only thing needed to gain access to a bank account.

The issue with facial recognition is that our face is almost certainly the most public thing about us. We can keep PINs and passwords hidden, and while it’s possible to steal fingerprints, it does require a certain level of subterfuge. Meanwhile our Facebook and Instagram accounts have our faces all over them.

Luckily, facial recognition is more sophisticated than it was, with texture analysis and dynamic perspective techniques ensuring that only real faces can be used to authenticate, and videos and photos can’t be used to subvert the technology. These advances mean that financial services providers can be much more confident in facial recognition as a way to authenticate transactions and access accounts. Facial recognition also has the advantage of using technology that every smartphone has – a camera. Fingerprint sensors may be becoming more widespread, and Samsung’s new iris scanner may impress once the device it’s attached to is no longer likely to explode, but neither will feature on smartphones anytime soon.

Nevertheless, facial recognition alone remains a single factor, and a single factor is never enough for high-risk transactions, whether it’s a face, voice, fingerprint, PIN, or password. Financial services providers need to adopt a different mindset to authentication – the question is not what authentication method should be used to access an account, but what risk is involved in this transaction and what combination of authentication factors gives the right balance between security and usability. So proof of possession of an enrolled smart-phone might be enough for a balance check, but additional verification of your facial biometrics is needed for setting up payments, and PIN is required for cross-border money transfer.

Despite our own day-to-day reliance on facial recognition, it is not on its own the solution to authentication. But it is part of the solution.

 

TagsSecurityMobile & online

Comments: (0)

Comment on this story (membership required)

Latest posts from Thomas

The Norwegian Prime Minister, facial recognition and risk scoring

27 September 2016  |  4088 views  |  0 comments | recomends Recommends 0 TagsSecurityMobile & online

What the rise of wearables means for authentication

09 February 2016  |  5751 views  |  1 comments | recomends Recommends 1 TagsSecurityPayments

What links banking apps, margarine, and WWII bombers?

27 December 2015  |  3856 views  |  0 comments | recomends Recommends 0 TagsMobile & onlineInnovation

Mobile Money: Apple’s next security pitfall?

11 September 2014  |  7337 views  |  0 comments | recomends Recommends 0 TagsSecurityMobile & online

Thomas's profile

job title CEO
location Oslo
member since 2014
Summary profile See full profile »

Thomas's expertise

Member since 2014
4 posts0 comments
What Thomas reads
Thomas's blog archive
2016 (2)2015 (1)2014 (1)

Who's commenting on Thomas's posts