Selfie-based authentication is on the rise, alarming security experts

zohaibahd

Posts: 228   +5
Staff
The big picture: Selfies are increasingly taking on a surprising new role: verifying your identity online. Some banks and even governments have started mandating live selfie captures during video calls to prove who you are before accessing services. However, giving tech companies your selfie is far from a smart cybersecurity move, as a new report has highlighted.

Multiple security experts and market analysts who spoke to The Register discussed this practice, highlighting just how unsafe it is and advising on ways it can be improved.

The selfie authentication trend has been brewing for years, says Akif Khan, a VP analyst at Gartner who advises organizations on implementing the technology. He told the publication that interest in selfie ID verification has been very high and steadily growing, with an "uptick" recently as the pandemic drove more services online.

Concerns became overt last week when Vietnam made face scans from phone banking apps compulsory for any digital transaction over $400. Vietnamese media voiced skepticism that selfies would improve security. Within days, some apps were already failing the vibe check by accepting simple still photos instead of live selfie videos.

The rise of selfie ID aligns with anti-money laundering (AML) and know-your-customer (KYC) regulations that require identity checks, though the specifics vary globally across jurisdictions and are frequently updated. This creates conflicting requirements when balanced against data privacy regulations in each region.

How companies mishandle selfie data is a problem too, according to Kevin Reed, CISO at Acronis. He told the publication that businesses frequently fail to properly manage and dispose of selfie verification images after use, leaving them exposed to theft if cyber criminals find value in the data trove.

A Resecurity report previously highlighted a Singapore payment provider that had users submit a photo holding their ID next to a handwritten sign to presumably prove liveness. Reed dismissed this technique as only "slightly better" than still selfies since it is still easily editable. Meanwhile, Khan wasn't confident about this technique either, calling it a "stopgap" measure while they work on a proper solution.

A better solution is "liveness" detection technology from third-party vendors integrated into apps and websites.

Liveness check vendors deploy a range of techniques to validate that users are physically present. These include movements during the selfie capture, like expressing emotions or turning the head. Khan noted that these checks are aided by machine learning and can also detect injection attacks from deepfakes. They analyze depth, edges, light reflection, and even signs of blood flow during verification.

Permalink to story:

 
This is not new to be honest. Using Face ID to login to your banking or government app are clear examples of usage of facial or biometric for authentication.

In any case, there is no one authentication method that is 100% foolproof. In this age, I suppose it is not impossible to even 3D print a person's face to try and bypass facial recognition security.
 
This is not new to be honest. Using Face ID to login to your banking or government app are clear examples of usage of facial or biometric for authentication.

In any case, there is no one authentication method that is 100% foolproof. In this age, I suppose it is not impossible to even 3D print a person's face to try and bypass facial recognition security.
Face ID is not selfie though, and it's used for completely different purposes. Face ID is used to prove to your phone that you're the phone owner. Verifying yourself to your bank is a completely different story.
 
Face ID is used to prove to your phone that you're the phone owner. Verifying yourself to your bank is a completely different story.
Verifying your face to your iPhone is equivalent to verifying it to Apple and the iCloud. And banks have been requiring biometric data from customers for literally centuries, through the highest technology available at the time: signature verification.
 
And banks have been requiring biometric data from customers for literally centuries
You either don't know what biometric data is or what literally means. Or maybe you don't know what centuries are? heck, it could be all three!
 
You either don't know what biometric data is or what literally means. Or maybe you don't know what centuries are? heck, it could be all three!
Oops! bio: life, metric: measure. Biometrics: unique physical or behavioral characteristics used for identification.

How a person signs their name is highly unique, and no different than a voiceprint or any other biometric data. You might (incorrectly) argue that signatures can be faked, whereas fingerprints and facial recognition cannot. But copying a signature without a reference sample is essentially impossible. Conversely, if you have a sample fingerprint or facial keypoint data, you can spoof biometric systems with these just as you can copy a signature.

Or were you disputing that banking institutions have for centuries collected signatures? I could take the theme much further by pointing out that Britain began using sepia-ink fingerprints on documents starting in the 1860s, and nearly 5000 years before that, people in the Indus Valley civilization were placing their fingerprints on clay tablets for identification purposes.
 
Oops! bio: life, metric: measure. Biometrics: unique physical or behavioral characteristics used for identification.

How a person signs their name is highly unique, and no different than a voiceprint or any other biometric data. You might (incorrectly) argue that signatures can be faked, whereas fingerprints and facial recognition cannot. But copying a signature without a reference sample is essentially impossible. Conversely, if you have a sample fingerprint or facial keypoint data, you can spoof biometric systems with these just as you can copy a signature.

Or were you disputing that banking institutions have for centuries collected signatures? I could take the theme much further by pointing out that Britain began using sepia-ink fingerprints on documents starting in the 1860s, and nearly 5000 years before that, people in the Indus Valley civilization were placing their fingerprints on clay tablets for identification purposes.
So I guess you have me in a bit of a technicality. Signatures are hard to forge now because we've developed advanced analytic systems to see if they are fake or not, but not everyone had access to the abilities forge signatures back then either. security through obscurity.

I wasmt even considering signatures as a security measure as signatures are pretty useless these days.

I have a difficult time believing the fingerprint side of things but my belief is irrelevant to the truth. That actually sounds really interesting so I'd appreciate a link as I'm having a difficult time finding one.
 
I have a difficult time believing the fingerprint side of things but my belief is irrelevant to the truth. That actually sounds really interesting so I'd appreciate a link as I'm having a difficult time finding one.
Three thumbs up for the open mind. I'm a bit skeptical myself of suppositions based on 5000 year old evidence, but archeologists have worked from thinner evidence. My statement was based on a book in my own library -- however, the first two links below briefly allude to both the Indus Valley and neighboring Mesopotamia doing this, whereas the final link is a more comprehensive source that starts with Chinese efforts in this direction around 200 BC.



 
Back