Authentication and Identification with Face Recognition

Authentication makes sure a user is who they claim to be. It is based on any of the following components:

  • Something you know, e.g. password or PIN
  • Something you have, e.g. key or token
  • Something you are, e.g. fingerprint or face

Biometric authentication is based on something you are, e.g. fingerprint, iris, retina, voice, hand geometry, or face recognition. Many of these have been used for a long time, and they still have unused potential.

Strong authentication (also 2- or multi factor authentication, 2FA, MFA) is commonly used with biometrics. It means that at least two of the above mentioned components are simultaneously used for authentication. The second component is usually a password.

The next big thing in biometrics is face recognition.

Face Recognition Authentication

Face Recognition Goes Mainstream

With Apple’s new iPhone X, face recognition will become mainstream, allowing the user to unlock the phone by just looking at it. Apple claims that their face recognition is 20X more secure than fingerprint scanning, while also faster. Many phone manufacturers have their own versions of face recognition, but Apple claims only their version gives a desired level of security. Microsoft has also unveiled their biometric authentication technology, Windows Hello. It works much like Apple’s face recognition, and it also supports iris and retina scanning.

There are many examples of face recognition possibilities. For instance, it will speed up London Heathrow Airport security controls. It can also be used to authenticate payments, open physical doors, and log you on to a laptop — as well as automatically lock the laptop when leaving the desk. Possibilities are endless.

Concerns with Face Recognition

New technology rarely comes without concerns. In the iPhone launch event, the facial recognition demo failed and didn’t unlock the phone. This obviously raised concerns whether the whole technology is mature yet. Apple said the failure was actually a feature; other people had played with the phone backstage, so it reverted to password authentication.

Iris recognition and many face recognition methods can be fooled by showing a big-sized, high-resolution image to the camera. Both Apple and Microsoft build a 3D model of the face, and use infrared light to prevent using a printed image or a mask. Retina scanning could still be used to provide extra security.

People are obviously also worried that their facial data will be leaked to hackers. A best practice approach is to keep the key data encrypted in the device’s secure TPM microchip. This way, the data cannot be stolen even with full access to the device. This means also that the biometric data does not roam with your profile/identity — i.e. all your devices need to be enrolled separately for biometric authentication. The device only sends out information whether the person is the one expected or not.

Apple’s face recognition is done by an artificial intelligence algorithm in the phone, constantly adapting and learning more about the owner’s face. Microsoft, however, gives full control to the user and does not adapt to user’s changing looks.

Another concern is that a user might be forced to show all their data by just putting the phone in front of them. You have to stare at the camera to unlock the phone, so forcing someone to unlock their phone is actually easier with a fingerprint scanning phone. It might be possible to automatically recognize involuntary micro expressions, and use other kinds of risk-based authentication mechanisms (e.g. location, time of day, behavioral patterns). In case there were anything alarming, the phone would just revert to password authentication.

Secure Identification

Recognizing a face has always in history been the primary way of identifying a person. Opening a bank account or obtaining a passport require a secure way of identification. Once identified, consecutive sessions/uses need just an authentication. Identifying a person is more complicated than authentication: How can you be certain whose face is this if there is nothing to compare it with?

Many banks have implemented online identification process so that a human identifies the customer via a webcam call. If we could build a reliable, tamper-proof way to digitally identify a person, lots of costs could be saved. It is not really a secure way to identify a person using an old drivers’ license photo. Even if that old photo ID is the best option available, artificial intelligence will be more trustworthy recognizing it than a human. Automatic risk-scoring could let you start using the services at a lower trust level, and later requiring a “Step-Up Identification” to enable full service.


Automatic face recognition will be a big enabler for digital transformation. More and more services can be provided without ever meeting the person face-to-face. Once the person is identified their face can be used to authenticate them in a very secure way. This enables easier payments and usage of services — you always carry your biometrics with you. These technologies require extreme security, as biometrics cannot be reset like passwords. Whatever device (e.g. phone, passport) the biometric data is stored in, that data should never leave the device — only the information whether the user matches the biometric data or not.

Tapani Tanskanen

Tapani Tanskanen

IAM & CRC Consultant and Manager at Atos Consulting CH
Passionate about Identity and Access Management and new technologies. I want to understand the big picture, as well as the essential details. Delivered IAM for 17 years, and still loving it! 🙂

Certified for CISSP®, CIAM, M.Sc. of Computer Science.
Tapani Tanskanen
Authentication and Identification with Face Recognition
Article Name
Authentication and Identification with Face Recognition
Face recognition (for identification & authentication) will be a big enabler for digital transformation, but keeping biometric data secure is a key element.
Publisher Name
Atos Consulting CH
Publisher Logo

One thought on “Authentication and Identification with Face Recognition

  1. Pingback: Configure Spring Boot with Docker Secrets - Atos Consulting CH

Leave a Reply

Your email address will not be published. Required fields are marked *