Biometric authentication has been making headlines for years now as a way to bring convenience and better security to authentication. Its use of fingerprints, iris recognition, and facial recognition technology is widely used in smartphones, computers, and even cars for access control. However, no authentication factor, including biometrics, is a silver bullet. Organizations must take a layered approach to account security.
There are two central facial recognition systems, one-to-many (1:N) and one-to-one (1:1). This post will focus on 1:1 recognition, which involves comparing the submitted biometric data to a single recorded template. It is used to determine whether a person is who they claim to be and is most often applied to digital authentication. One-to-one verification is generally more accurate and has a lower false match rate than one-to-many identification.
Facial recognition has many benefits. It is fast and easy, reducing user friction, adding account security, and being contactless, a critical feature in a post-pandemic world. Some regard the technology as a standalone solution that can leave organizations susceptible to vulnerabilities.
The unfortunate reality is that all systems are hackable. This is why taking a layered approach to account security, with each layer providing a different defense, is a best practice when defending against account takeover.
Below I’ll explore the accuracy of facial biometric authentication and recommend complementary signals that work well to strengthen biometric account security strategies.
Accuracy
While facial biometrics is generally reliable, it may be affected by factors such as poor lighting or changes in a person's appearance. These reliability issues lead to the most significant potential drawbacks of using facial biometrics - it sometimes fails to identify a person accurately. Metrics like "false match" or "false non-match" measure accuracy.
A false non-match occurs when the system fails to recognize a person's face, even though it should have been able to do so. A false non-match can happen for various reasons, such as poor lighting, changes in a person's appearance over time, or the use of disguises.
A false match, on the other hand, occurs when the system mistakenly identifies another face as a match. False matches happen if there are similarities between the two faces, such as similar facial features or hairstyles. As a consequence, a false match can lead to fraud.
Let’s look at the metrics. For 1:1 authentication, NIST reports that facial biometrics for wild images (closest to a real-world mobile authentication scenario) had a False Match Rate (FMR) of 0.01% (1 in 10,000) with a 3% False Non-match Rate (FNMR) or False Rejection Rate. It's important to consider that the NIST test represents the best-case scenario, which is that the pictures are of the best possible quality, so these metrics represent the theoretical maximum accuracy of the solution.
For comparison, Incognia conducted a study that found its location verification solution achieved an FMR of 1 in 17 million, which is 1,700 times more accurate than facial biometrics using wild images (the dataset that most closely simulates real-world scenarios). Compared to the best facial recognition result using the VISA image database, which is a more well-taken photo with perfect lighting conditions and high resolution, location verification was 17 times more accurate with ten times better false non-match rate.
Practically speaking, the results delivered in a production scenario are what matters and are subject to change depending on the attack vectors faced. But practical accuracy is directly related to theoretical accuracy because it determines how hackable a solution is. The lower the accuracy of an algorithm, the easier it is for an attacker to create a model that can bypass it.
In a recent article about the security of biometric systems featured in The Computer World, columnist Evan Schumann takes a hardline. He begins his essay with strong statements, including "biometrics are falsely seen as being very accurate" and "the only universally positive thing to say about them is they're better than nothing.” He bases his argument on a report published by Roger Grimes, a defense evangelist at KnowBe4 who is the author of over 30 books on cyber security. In the article, Grimes discusses the National Institute of Standards and Technology (NIST) evaluation ratings for biometric systems.
He writes, "So far, none of the submitted candidates come anywhere close," summarizing the NIST findings. "I have been involved in many biometric deployments at scale. We see far higher rates of errors — false positives or false negatives — than even what NIST is seeing in their best-case scenario lab condition testing. I routinely see errors at 1:500 or lower."
Evan concludes his article by saying, "In short, biometrics is a fine convenience. As a security defense, most of today’s implementations don't cut it."
Whether you believe the numbers or not, there are real and present threats to accounts using biometric authentication as a single factor. There are several ways in which attackers may attempt to spoof facial biometrics with liveness detection, including:
For most account security, a layered approach is critical. While biometrics undeniably offer enhanced protection, it should not be used as a single authentication factor and is more robust when combined with other authentication methods. Risk-based signals, such as location verification, behavioral biometrics, and device fingerprinting, complement biometrics well. Seamlessly integrating diverse authentication forms into your application allows you to maintain top-notch account protection while optimizing user experience.
Consider the following complementary signals:
Overall, the specific security systems used in combination with facial biometrics will depend on the particular needs and requirements of the situation. Biometric authentication is widely used and, when implemented correctly, can be a solid layer of security. However, no one factor should be considered the silver bullet for account security. A layered approach that uses multiple factors, including biometrics, is the best way to protect your accounts.