Forced to find creative ways to guard against the rising threat of identity theft, a growing number of companies are moving from a system that tests people on what they know, such as a password. Now they want to ask consumers to provide evidence of something that can’t easily be changed or copied: their face.
“In our opinion, the password is dying,” said Tom Shaw, vice president of enterprise security at financial services firm USAA. The company lets customers use a selfie instead of a password to log in to their mobile banking apps. Customers only need to choose the facial recognition option when they open the app, hold the phone up to their face and blink. It’s much easier for some consumers to take a quick picture than it is to ask them to remember yet another username and password, Shaw says.
A photo also can serve as a way for consumers to offer proof that it was indeed them — and not an imposter — who made that purchase or submitted that form.
For instance, MasterCard plans to roll out a service nicknamed “Selfie Pay” this summer through its member banks. Through the program, consumers would shop online as usual and after checking out, they would confirm the purchase by taking a selfie with a MasterCard mobile app.
And Georgia will roll out a pilot program for the next tax season at the end of the year that gives taxpayers the option of creating a secure account where they verify their identities by taking a photo. If there is a match, taxpayers will be asked take a photo on their smartphones before their tax returns can be processed, ensuring the return was not submitted by a fraudster.
The growing use of facial recognition, however, raises a series of security and privacy concerns. One obvious vulnerability is that it is not that difficult to find out what someone looks like.
“Everyone has your face,” says Alvaro Bedoya, the executive director of Georgetown Law’s Center on Privacy and Technology. “So it is a mode of authentication that is inherently public.”
To overcome that risk, the companies are requiring selfies that are a little different than the ones you might see on Facebook. After finding the right angle, consumers are asked to move around to confirm that the camera is capturing a live person and not a photo.
In the MasterCard and USAA programs, users are told when to blink. Georgia’s tax program will prompt people to position their faces a certain way and scan for motion.
The photos are typically not the only safety measure, serving instead as the second or third method of authentication. USAA, for example, says that it checks not only the photo, but also for the device being used to access the account. That means a criminal should not be able to log in from another phone that isn’t already registered with their systems, Shaw said. For the tax program, Georgia will compare the selfies consumers submit to the photos it has in its database of state driver’s licenses.
Privacy advocates fear that if companies misuse the photos, it could lead to situations where people are instantly identified when they walk into stores or while they are walking down the street. Some of that is already happening.
Several states allow law-enforcement agencies to use facial recognition to search, or request searches, of driver’s license databases when they need help identifying people for investigations. Some retailers have used the technology to recognize regular or problematic shoppers.
“It is a basic human freedom to be able to walk outside and be anonymous and be private,” said Bedoya. “If you can no longer be a face in the crowd, that’s a problem.”
But some of the companies and agencies introducing facial-recognition programs say they are only using the images to verify customers’ identities.
They also say they are protecting consumers by not storing the images. MasterCard, for instance, said it converts the initial photo users take when they set up their accounts into a series of 1s and 0s that cannot be used to recreate a person’s face. USAA says the biometric information is encrypted and wiped if a customer hasn’t logged in for a while. And MorphoTrust USA, the company providing the technology for the facial recognition pilot in Georgia and a potential one in North Carolina, said that after a person’s identity is confirmed, the photos taken will not be stored on the state’s servers.
Still, some of the hiccups consumers may face are much more basic. For example, it is not clear how well the apps will hold up in cases where people’s faces actually have changed — say because they gained weight, started wearing glasses or grew a beard. USAA says their app has worked after such minor changes, but reminds users that they could always switch to another method of authentication. And MorphoTrust USA says that its technology will scan for features that are unlikely to change much over time, such as the shape of a person’s eyes.
Whether most consumers will go along with the new selfie programs has yet to be seen. The parties introducing facial recognition and other biometric options cite convenience and security when pitching the technology.
The process relies on smartphones that many consumers already have in hand. And because these apps are scanning only for the most basic characteristics of a person’s face, none of the typical traits required of selfies — such as perfect hairstyles — are needed.
Some consumers may welcome the added measure. Greater access to consumers’ personal details has made it easier for criminals to take out loans in their names, go on shopping sprees or file fraudulent tax returns. About 17.6 million Americans were victims of identity theft in 2014, meaning they had their bank account, credit card or other personal information stolen, according to the most recent data from the Department of Justice.
The selfie offers a simple way to help them combat that kind of fraud, the companies say.
In some cases, taking a photo can also offer an alternative to a more complicated process. For instance, Georgia says for some taxpayers who need to provide more information before their tax refunds are paid, taking a selfie could be easier and faster than calling or mailing in a form.
“We’re getting to a place where we can really start using our identities as a key, or as a way to protect ourselves,” said Mark DiFraia, senior director of market development at MorphoTrust USA.
Consumers may also find they have options beyond facial recognition when it comes to confirming their identities. For instance, USAA customers who want to use biometrics to log into the mobile app can either scan a thumbprint — the most popular option — snap a photo or use voice recognition. About 13 percent of its 11 million members have opted to use the biometric log-in
as of early April.
MasterCard users who do not want to take a photo can use the app to scan a fingerprint.
Those alternatives may come in handy for people facing a potential security threat from someone very close to them: their identical twin.
For that subset of the population who knows someone with a face that looks just like their own, it may be safer to pass on the selfie option and go with fingerprint verification instead, says Catherine Murchie, senior vice president of enterprise security solutions at MasterCard.
Otherwise, that twin could end up going on a nice shopping spree.
You might also like: