Face as the Key: Understanding Facial Authentication

By: Jon Polly | Nov 28, 2022

Most people rely on their cell phones. They’re convenient. You can watch television while riding the subway, use your phone to pay for a coffee, and call or text someone from almost anywhere in the world. There’s also the convenience of face authentication, and not needing a code or pattern to unlock the phone.  

Facial biometrics is a family of biometric measurements of facial characteristics used to identify an individual. Surprisingly, versions of facial biometrics have been around for many years, only recently with some versions garnering populous distrust; for good reasons.  

In 2021, myself and Don Zoufal, one of the foremost legal experts on facial biometrics, released a paper for the ASIS International community entitled, Facial Biometrics for the Security Practitioner. In it we discussed the three primary uses of facial biometrics; the advantages and the pitfalls, from a global perspective.  

Facial authentication, the use of a facial biometric to grant or deny access based on facial parameters, is just one use of facial biometrics and it affects nearly everyone. It is why the cell phone unlocks when the correct person scans their face and not when a thief scans their face. Unlike other facial biometrics, facial authentication requires a 99.99999% match, or a 1:100,000 likelihood that the person in front of the facial biometric reader is the right person. Facial authentication technologies work almost the opposite of other facial biometric technologies in that a facial authentication device, camera or reader, is not looking for a hit, but a rejection. If the face presented does not look like the person’s unique identifier within the 0’s and 1’s, the door does not unlock, whereas other facial biometrics provide a threshold of accuracy.

Legal Concerns

If you spend any time listening to the news or watching recent events, typically coming out of Illinois or California, you know that a person needs to opt-in before their biometric or facsimile of their face can be used. The Illinois Biometric Information Protection Act, commonly referred to as BIPA, has cost many well-known companies millions of dollars because they did not get an opt-in from individuals. BIPA provides protections to individuals against private companies by establishing requirements in the following four areas: Collection, Retention, Disclosure, and Destruction.  

The act of opting-in removes all current legal concerns. Inherently, facial authentication requires the opt-in because the person actively walks in and has their face scanned, usually for an access badge or even access to work in highly restricted spaces where not everyone at the facility has that level of access. While this opt-in is assumed many times, companies should include some legalese to ensure they are indemnified if they are using facial authentication.  

Public safety and city workers in general have struggled with being able to use facial biometrics. In the wake of political knee jerk reactions, several cities were unable to use any facial biometrics; a trend that for most lasted about three days because city workers were locked out of their city supplied cell phones. Quick rectification by city councils reversed the facial biometric moratorium for cell phone and building access. Many cities still have moratoriums on facial biometrics, but the legal landscape has changed, even recently.  

Technology 

Facial authentication technology typically consists of one of three types of technologies: an infrared camera, ONVIF compliant camera, or a 3D scanning camera. The facial authentication reader, though it may look more like a camera, is typically installed at a height of 5’4” with a vertical view lower to cover the American with Disabilities Act (ADA) compliance. The camera can “see” a distance of 10-15 feet but may have thresholds that won’t allow it to unlock until a person is within 6 feet and will not unlock if a non-authenticated person is in the field of view; preventing piggybacking or tailgating scenarios.  

As discussed before, typically these systems have an enrollment reader, but this enrollment reader could be placed in the field. The enrollment reader takes between one and three scans of the person’s face to create a unique identifier (UID). The UID is saved locally or to the cloud. Different technologies save in different ways. Some create a blob of data that translates as unique 0’s and 1’s, that without the reference information, which is not saved, can never be duplicated protecting the data independently. Others create the UID as another card credential in the access control system, which is saved, like any other picture, to the hard drive. Not all facial authentication readers are the same.  

In recent years, terms such as “deepfake” and “liveness” have become key indicators for facial authentication to overcome. Deepfake is the use of synthetic media to replace a person’s existing image or video with someone else’s likeness. In this application, there is a non-authenticated person with an authenticated person’s face. This is where the concept of “liveness” comes in. The facial authentication reader needs to be able to see depth of a person’s face, not just a picture, to provide authentication. The reader looks for movement and parts of the face that make up the unique identifier.  

Biometric Rallies 

The Department of Homeland Security holds a facial biometric technology rally every year, with 12-20 companies typically receiving an invite. This rally covers all facial biometrics; face matching, facial recognition, and facial authentication, including traditional facial authentication, as well as iris or retinal scanning technologies. This and other rallies do not have the bandwidth to test every reader or platform, leaving many facial authentication technologies to self-certify their own AI practices and accuracy.  

Closing 

Facial biometrics and facial authentication are being adopted by companies at a greater pace than ever before. As more cities and states adopt biometric and privacy laws, the oversight will be intense, but can offer better employee engagement, better customer experience, and a more secure operation at a cheaper price. No more printing badges, and unless it’s Hollywood everyone keeps their same face all the time.