It is no secret that for a long time now MasterCard has been working on solving the problem of authentication in the banking system and testing an application that would use traditional two-factor authentication to authenticate customers and authorize online purchases based on the face recognition technology and not numerical codes. In other words, to be able to pay with a credit card online, the card holder would have to take a selfie instead of providing the PIN code. Let’s try to understand the roots and the source of this new trend called selfie based authentication.
As we can see, selfies are insanely popular, but before this new authentication method based on selfies is implemented, we should consider and evaluate the reliability of such a method with all seriousness and a healthy degree of skepticism, especially when it is authentication for the purpose of gaining access to online banking transactions. There are several reasons to be doubtful as to this method’s reliability, and in this article we will carefully consider each one of them in detail.
Biometric Data as Alternative User Authentication Method
The reason why this type of authentication is necessary is related to one of the key information security risks – weak passwords. According to the statistics available, 61% of users have the same password for all services and websites, and 44% of them change their password only once a year. This information reveals how easy it is to compromise a computer or any other device or gadget. That is why one needs to use two-level account protection against unauthorized access – two-factor authentication from Protectimus. This system includes two levels of user authentication:
- Login and password;
- Special code sent via an SMS message, via email, or generated with a token.
For more reliable protection, users’ biometric data is used: authentication is performed using voice or face recognition, retina or fingerprint scans, and the heartbeat “print”. The whole selfie idea, by the way, is also from the realm of biometric authentication.
Is Alternative Selfie Based Authentication Reliable?
- Photo is taken instantly;
- No need to wait for an SMS confirmation and enter the code;
- No need to remember passwords and/or always have on you tokens that can break or be lost at the most inopportune moment;
- It is cool and fashionable.
That is pretty much all the advantages. Let us now look at the flip side of this coin.
- To make a transaction, a high-quality photo is required, which means that one has to have a good camera with high resolution, good lighting, and static environment;
- There is a possibility of difficulties encountered during the authentication procedure if there are significant visible changes in or damage to a customer’s face that occurred after their registration in the system;
- If an intruder intercepted a customer’s login and password and has access to any of their photos (e.g. from a social network), where is the guarantee that the intruder will not be able to use the user’s image from an earlier photo to log into the system as this user? And the user will not even be aware of all this happening. When traditional two-factor authentication is used – for example, via an SMS message – in the event of unauthorized access, a message is sent to the user’s phone, and they can quickly take the necessary urgent measures. To compromise a physical hardware token, a hacker has to first steal it or come by the token in some other way, which makes the hacker’s task even more difficult.
Taking into consideration just a few examples above, we should seriously question the reliability of using selfie based authentication technology in the banking system. It is no more than a populist move in the hope of attracting young customers; traditional two-factor authentication has always been and remains a much more reliable and thoroughly tested method of protecting savings and data.