It is no secret that for a long time now MasterCard has been working on solving the problem of authentication in the banking system and testing an application that would use traditional two-factor authentication to authenticate customers and authorize online purchases based on the face recognition technology and not numerical codes. In other words, to be able to pay with a credit card online, the card holder would have to take a selfie instead of providing the PIN code. Let’s try to understand the roots and the source of this new trend called selfie based authentication.
A selfie is a photographic self-portrait made by the person themselves with their arm outstretched, sometimes using a mirror or a very popular selfie stick. This type of photo became very popular after 2005, following the creation and widespread of social networks and websites for online communities where users readily share their latest life news and most recent photos. Phones with front facing cameras and the Instagram mobile application have allowed for a veritable explosion of millions of original and sometimes extreme selfies. Movie stars, show business celebrities, politicians, and even Pope Francis post their selfies on the Internet. Numerous website scream at you about the wild popularity of this trend in the photo industry; in 2013, the word ‘selfie’ was declared the most used word and included in the Oxford online dictionary of the English language.
As we can see, selfies are insanely popular, but before this new authentication method based on selfies is implemented, we should consider and evaluate the reliability of such a method with all seriousness and a healthy degree of skepticism, especially when it is authentication for the purpose of gaining access to online banking transactions. There are several reasons to be doubtful as to this method’s reliability, and in this article we will carefully consider each one of them in detail.
Biometric Data as Alternative User Authentication Method
The reason why this type of authentication is necessary is related to one of the key information security risks – weak passwords. According to the statistics available, 61% of users have the same password for all services and websites, and 44% of them change their password only once a year. This information reveals how easy it is to compromise a computer or any other device or gadget. That is why one needs to use two-level account protection against unauthorized access – two-factor authentication from Protectimus. This system includes two levels of user authentication:
- Login and password;
- Special code sent via an SMS message, via email, or generated with a token.
For more reliable protection, users’ biometric data is used: authentication is performed using voice or face recognition, retina or fingerprint scans, and the heartbeat “print”. The whole selfie idea, by the way, is also from the realm of biometric authentication.
Is Alternative Selfie Based Authentication Reliable?
First of all, let us consider the advantages and strengths of selfie based authentication. The idea is that the banking application will create a ‘digital map’ of each customer’s face and transform it into a hash that will be stored on the server and used for comparison with a new photo. The following are the key advantages:
- Photo is taken instantly;
- No need to wait for an SMS confirmation and enter the code;
- No need to remember passwords and/or always have on you tokens that can break or be lost at the most inopportune moment;
- It is cool and fashionable.
That is pretty much all the advantages. Let us now look at the flip side of this coin.
- To make a transaction, a high-quality photo is required, which means that one has to have a good camera with high resolution, good lighting, and static environment;
- There is a possibility of difficulties encountered during the authentication procedure if there are significant visible changes in or damage to a customer’s face that occurred after their registration in the system;
- If an intruder intercepted a customer’s login and password and has access to any of their photos (e.g. from a social network), where is the guarantee that the intruder will not be able to use the user’s image from an earlier photo to log into the system as this user? And the user will not even be aware of all this happening. When traditional two-factor authentication is used – for example, via an SMS message – in the event of unauthorized access, a message is sent to the user’s phone, and they can quickly take the necessary urgent measures. To compromise a physical hardware token, a hacker has to first steal it or come by the token in some other way, which makes the hacker’s task even more difficult.
Taking into consideration just a few examples above, we should seriously question the reliability of using selfie based authentication technology in the banking system. It is no more than a populist move in the hope of attracting young customers; traditional two-factor authentication has always been and remains a much more reliable and thoroughly tested method of protecting savings and data.