Why your face should be your username, not your password

What if you could log in to your bank using just your face, buy clothes simply by photographing the model wearing them, or pay at the check-out by snapping a selfie?

This is not the future. These are all technologies that are already coming to market today. Earlier this month, HSBC bank announced a new programme in which customers could open new bank accounts using a selfie photo to verify their identity.

Such developments are all thanks to innovations in computer vision, making detection and manipulation more accurate. They could speed up administration for customers and transform business for suppliers. Unfortunately, that’s not going to happen any time soon. Because these technologies are still too half-baked to be reliable, leaving the projects open to big security risks.

Whilst “pay-by-selfie” may be fine fodder for a press release, the reality is different. Researchers from the University of North Carolina have shown that, while facial recognition is a real, working reality, now implemented by Google Photos and Apple’s Photos app, systems can still be fooled by showing them a reproduction photograph of the face’s real owner. That is a big security problem for sensitive applications like banking and commerce.

To be really secure, computer visualisation could be augmented by biometric technology. To know that the person in the camera is real, you could measure their temperature or blood pressure, for example. But recent research from the University of Washington on the discipline showed that, whilst a limited pool of biometric authentication worked adequately, when scaled up significantly, to the level required for mass-market adoption, these algorithms fell over. 

You could try to detect the movements of eyes, mouths and noses on a face, matching them to known human expressions. But this technology is too nascent for wide-scale deployment. Temperature sensors in phone cameras don’t exist outside of a single, crowdfunded experiment. Computer vision, in which I have spent the last five years gaining a PhD, is coming on fast - but just is not ready to use these kinds of systems in combination.

The most secure authentication that computer vision can achieve is in the eye of the beholder - literally. Twenty-five years ago, John Daugman invented the first iris recognition system, the IrisCode. The iris of the eye offers a unique way to identify individuals. To date, this system has been tested on around 100M iris from different people around the world - with a success rate of 100 per cent. Many companies are using it more frequently than facial recognition. 

But some of the companies rushing out sensitive services using flawed image-recognition security are trying to run before we can walk. There is a reason HSBC’s selfie-recognition system only powers opening of new bank accounts, not login to existing accounts - security is weak, but the bank is happy to benefit from new account registrations created by the buzz.

Facial recognition is too weak to use for real-world, sensitive tasks in isolation. But it can certainly make life more efficient for customers when used alongside a known secure key. In other words, your face should be like your username - you won’t have to type it, but you’ll still need a password.

True recognition of the content of an image is very difficult - helping machines to understand the world around us is the largest problem in computer science. Buying a product simply by pointing your phone at it may be the holy grail of a fashion marketer. But, when the lens sees a model wearing your target garment, how does it identify it from thousands of other similar jackets from rival brands? The consequences of purchasing a wrongly-identified item are considerable.

Now, none of this is to suggest that we should not be aiming for the targets set out by the claims and experiments I have outlined. I have never been more excited about the developments that are around the corner.

I don’t criticise companies for launching products and services that are under-cooked. Because setting a path to an eventual goal is an important step in actually arriving at the destination. All innovation is incremental. If one service is launched with partial recognition, someone, somewhere around the world, is going to try to go one better, harnessing that development and building toward full recognition.

That’s how you break boundaries. That’s how you draw investment and excitement. Standing on the shoulders of giants is important; it’s how we all make the future out of the raw materials of the past. When we get there, the work of others may be so distant, we won’t even recognise it.

Nuno Moutinho, cofounder and CTO of boomApp

Image source: Shutterstock/Anton Watman