Facial recognition is being touted as an “additional” mode of verification along with iris or fingerprint scanning, but security experts reckon the face may be a weak authentication source.
Each day brings in a new development for Aadhaar, the $3 billion citizen identification project of the Government of India.
The Unique Identification Authority of India (UIDAI) today announced a face recognition feature for Aadhaar authentication. The feature will be used in “fusion” with existing iris and fingerprint scanning and OTP-based authentication, and will be launched on July 1, 2018.
UIDAI, which has been recently plagued with data security issues, believes facial authentication will add a layer of security to the Aadhaar ecosystem, and assist users who have troubles with fingerprint scanning.
In many areas, the elderly and manual workers have had trouble with fingerprints for authentication. Facial scanning, on the other hand, would be done from photographs already stored in the Aadhaar database. Citizens do not need to visit Aadhaar enrollment centres again, the UIDAI said.
“At the time of Aadhaar enrolment, the photo of the face of the resident is also captured. To provide inclusive authentication, face photo can also be leveraged to verify the identity of an Aadhaar number holder,” UIDAI said in a circular released on Monday.
Ajay Bhushan Pandey, UIDAI chairman, called facial authentication a “landmark” feature.
UIDAI added the “camera is now pervasively available on laptops and mobiles making the face capture easily feasible.” Thus, face authentication would not require any additional hardware, and should be implemented quite easily.
Security experts reckon facial authentication may be a redundant feature to begin with. “Face is a weak authentication source because the original photos in the database are of poor quality,” Ankush Johar, Director of Infosec Ventures, tells YourStory.
Photographs already stored in the Aadhaar database, which the UIDAI will use, do not account for things like ageing, tanning, wrinkles, facial hair and so on. Hence, accuracy would be a challenge. “Just like in passports or driving licences, photos are a dated source of verification because people’s facial features will evolve,” Johar explains.
Moreover, there are past examples of facial identification going wrong. Handset-maker Samsung introduced a face unlock feature in its flagship Galaxy S8 device, but it was later revealed that the phone could be unlocked with anything that resembled the owner’s face.
This means the phone cold be unlocked using a photo, making the owner’s actual face redundant in the unlocking process.
The exact nature of the facial recognition feature will only be known once the rollout begins from July 1. “While two-factor authentication is a good idea per se, it’s better if face or iris or fingerprint is used along with the OTP. So, essentially, biometrics combined with OTP makes it stronger than just a combination of two or three biometric features,” Johar says.