Consumer Reports has no financial relationship with advertisers on this site.
When Allan MacLeod, a college administrator at New York University, wants to check his bank account, all he needs to do is stare at his phone and blink. His account is with USAA, which allows customers to log in to its mobile apps using facial recognition.
"It's infinitely better than using a password,” MacLeod says. "Anything that prevents me from having to go through the rigmarole of resetting passwords is worth it.”
Coming Soon . . . to All Your Devices
Smartphones are likely to provide many consumers with their first exposure to facial recognition.
Anil Jain, a computer science professor at Michigan State University, says such technologies have some inherent advantages over passwords and PINs. “I would view the biometrics—face recognition, and fingerprint and iris—as strengthening existing security,” he says.
If facial recognition is working as it’s intended to, no one but the user can log in to a system. According to Jain, when a user is facing a camera with a neutral expression in a well-lit environment, the latest software has an accuracy rate as high as 99 percent.
In phones, the technology has experienced some stumbles. The Samsung Galaxy S8 smartphone was in the news last spring when a video was posted online indicating that you could trick the system into unlocking by showing it a photograph. A recent video purports to show a similar problem with the Galaxy Note8.
Samsung didn't respond to a request for a comment on the issue, but the company’s website has this disclaimer: “Your phone can be unlocked by someone that looks similar to you (such as a twin). Face Recognition is less secure than Pattern, PIN, Iris, or Fingerprint.” And the technology can't be used to authorize payment through Samsung Pay.
Better hardware may be one solution to facial recognition's so-called spoofing problem.
According to Apple, the iPhone X facial recognition system includes an infrared camera, a projector that helps the system map 30,000 points on the user's face, and a neural network that constructs a mathematical model of the face. All the face data is stored exclusively on the phone rather than being transmitted to a cloud service. In a demo when the phone was unveiled, the system seemed to take less than a second to work. It can operate in varied lighting conditions, including the dark.
Apple is allowing users to authorize Apple Pay transactions with Face ID. The company says that the system was tested against spoofing attacks using photographs and even masks—though a twin sibling might be able to sneak past the defenses.
Infrared cameras are also used in some other devices with facial recognition. Consumers can use facial recognition to unlock some Windows devices with a function called Windows Hello. But it only works on devices equipped with infrared cameras. And Qualcomm, a leading hardware manufacturer for mobile devices, recently announced that it will be producing new depth-perception technology that can produce 3D images for use with facial recognition in phones.
A number of security professionals we interviewed said that spoofing attacks can also be addressed with more advanced software. “Facial-recognition companies have built in some spoof-detection methods to take care of that,” Jain says. One example is the USAA banking app MacLeod uses, which requires users to blink their eyes during authentication.
Michael Slaugh, executive director for financial crimes prevention for USAA, argues that spoofing attacks are more of a theoretical risk than a real-world concern. “If I'm a fraudster, I've got to steal your phone, and I've got to somehow get a video of you blinking without you noticing,” he says. “Is it possible? Absolutely. Is it practical for a fraudster who's looking for low-hanging fruit?” His answer: not really.
The FIDO Alliance, an industry consortium established to create technical standards for user authentication, has a certification program for products and services. Among other measures, it ensures that data such as passwords and biometric details are never stored anywhere but on your device. Consumers can check the FIDO Alliance website for a list of certified products.
One Fix for Broken Passwords
It's practically a truism in the information-security world that passwords are a poor way to safeguard consumer accounts. First, databases of user names paired with passwords present an attractive target for hackers. Second, despite the best advice, many people stick to weak passwords. And other consumers use stronger passwords but regularly forget and reset them. (Password managers can help with that.)
“Even if the password itself is strong, the system itself isn’t strong at all,” says Bob Reany, executive vice president of identity solutions at Mastercard. “People reset passwords because they can’t remember them. [The method for] resetting passwords presents a way to break into the system, and those vulnerabilities go beyond the number of characters and the type of characters they are.”
Mastercard recently debuted a feature called Identity Check (aka "selfie pay") that lets customers of certain banks authorize online payments by taking a picture with their phones. A few banks, including HSBC, have apps that let customers log in with facial recognition, and Citibank added the feature for Citigold and Citi Priority customers in 2016.
None of these institutions would say how many consumers were using the technology, but they did say that the practice is more widespread outside the U.S.
Despite the enthusiasm from technology and financial companies, some privacy experts have concerns. “I wouldn't discourage people from exploring the convenience factors afforded by face recognition,” says Clare Garvie, a law associate at the Center on Privacy & Technology at Georgetown Law. But, she says, when you use biometrics, you’re relinquishing control of a piece of information that could be used to identify you forever. Passwords are easy to change, but if face, iris, or fingerprint information is somehow compromised, you can have little recourse.
Privacy groups also worry about how facial recognition could be used in public for surveillance by government groups and targeted marketing by private companies.
The companies contacted by Consumer Reports said that facial recognition technology intended for banking apps and unlocking a consumer’s devices would only be used to verify identities for security.
And they say the benefits to consumers outweigh the risks. According to Reany, facial recognition is just part of a group of factors that his company's app uses to confirm a user’s identity. “Multifactor is a sledgehammer,” he says.
Many consumers already use two-factor authentication, in which logging in to an account requires a password and a one-time code sent by text to the user’s phone. But secure apps such as Mastercard's use several pieces of information. They check facial recognition data, and then confirm that the right device is being used and that its location makes sense.
If that kind of expanded multifactor authentication becomes widespread, it could become vastly more difficult for a hacker or other thief to log in to a consumer’s accounts.
Editor's Note: This article has been updated with information about the Apple iPhone X and Face ID.
Consumer Reports is an independent, nonprofit organization that works side by side with consumers to create a fairer, safer, and healthier world. CR does not endorse products or services, and does not accept advertising. Copyright © 2017, Consumer Reports, Inc.