AN ADDITIONAL LAYER OF BIOMETRIC SECURITY
A few days ago, my mobile banking app from BBVA would insist in registering my face through the app to make the process of changing phones easier and more secure, in order to login to the app in the new device.
I denied the request each time before being able to use the app.
At one point, the app warned me I would only be able to skip the process three more times before being unable to use the app. I ignored the message three more times and the app went through with its promise, no longer allowing me to login and only letting me use it as a security token.
It was simple enough for me to just migrate to the webpage and keep using the services.
Let’s deconstruct this face recognition debacle.
A facial recognition system is a technology capable of identifying or verifying a person from a digital image or a video frame from a video source. There are multiple methods in which facial recognition systems work, but in general, they work by comparing selected facial features from given image with faces within a database.
Or as BBVA puts it:
It’s a technology that defines the identity of a person by analyzing the unique, nontransferable physical features of their faces, processing this information into a mathematical pattern.
As is the case with other types of biometric data, in theory, a face is incredibly unique considering all the facial features we have, with applications not only in security but other technologies such as human computer interaction. Although face recognition is not as unique as a fingerprint or iris scanning can be.
The deployment of this technology, at least on a consumer level, is being accelerated by the usage of it in personal devices.
It’s important to note that, for my country branch, at the time of writing there’s no precise information on how their face recognition technology works or how it stores and manages the biometric information on the BBVA pages. It appears to be a few years in the making since their collaboration with Sodexo Iberia.
In order to work, face recognition requires three main elements:
This technology can be used in conjunction with other methods to further increase security.
Combining it with a password, a device or token and a biometric factor is one of the most secure ways to protect data, known as 3FA (Three factor authentication). It was not long ago that banks pushed for the widespread use of 2FA.
Facial recognition is capable of enhancing the security of your finances and personal data. It’s something we are already benefiting from: Unlocking your phone without touching it, government border security, accelerating transactions among other use cases. It’s considered more secure overall than certain methods, such as low complexity or easy to acquire passwords as you can see in the image below. The trend is to use more of these security measures moving forward, alongside more traditional methods.
The devil, as always, is in the details and the different implementations it currently has.
The main concerns regarding it are false positives, ease of duplication and the non existent standards as exemplified in the image below. Every single one of these risks is both driven and mitigated by the three main elements I mentioned above.
Once you deal with more sensitive personal data and not just adding security to our personal devices, there are additional concerns around the susceptibility of the systems of being fooled. Or that once those biometric prints are stolen, they cannot be easily replaced as a password or token can.
Let’s analyze BBVA’s implementation through those elements and compare to some of the consumer technologies in the market.
It’s the system that takes the digital picture and builds a mathematical pattern around it. There are different levels of detail they can reach from the image, from the traditional method where the relative position, proportions or shapes of the different facial features are taken into account. To three dimensional analysis or skin recognition. All of this depends on the capabilities of the system.
Since most cellphones do not have 3D imaging capabilities, we can suppose BBVA’s implementation is mainly traditional, backed up by AI and machine learning in both the imaging and database. However, this only produces the lowest level of confidence in a facial recognition system.
Furthermore, BBVA is only using facial recognition to help in activating a new device to use the account services; still requiring additional data such as passwords to use the app. Facial recognition is not the only security factor and this brings up my confidence in the additional security provided by the feature.
This doesn’t make it inherently more secure as there is a possibility of fooling the system with pictures or masks.
Apple’s FaceID for example, uses 3D scanning to create a more detailed and unique face map, technology that cannot be used by BBVA to create a facial map as it would limit it to only recent Apple device users.
As advanced as it is, Apple’s tech has been proven to have difficulties with twins, mitigated recently with AI and machine learning.
The second element is the facial print itself; the mathematical pattern or in simple terms, your face as a unique file.This file can be constantly enhanced thanks to AI or by combining additional scans from the same tech, accounting for gestures, changes by accessories, hair, changes through time or additional mapping, such as skin patterns. In BBVA’s case, I believe this is where they are betting on enhancing security, as they can constantly add to it.
Sadly, their own article on facial recognition declares that it doesn’t take gestures into account:
Will my face be recognized if I have a different gesture than the one stored in my account such as smiling, growing, etc?
No, it’s necessary to maintain a neutral gesture, without smiling as it modifies the shape of the face at the time of storing or validating.
This makes me believe that there is no learning system in place, lowering my trust in the system. Additionally, the capture face print is not stored in the device, but sent to a remote database, adding a full layer of risk in regards of retrieving that image from third parties.
This biometric image in most of the personal device implementations, such as WIndows Hello, is stored only in the device and is not transferred to remote servers, eliminating the risk. This is not feasible for BBVA as they need to store it remotely to activate a new device. In this case, securing the device and the channel it’s sent through is the priority.
And it’s in this point where the main point of failure resides and the why of my refusal to use it.
Several times there had been complete database leaks, not only of biometric data, but also other personal or sensitive data such as Social Security Numbers, addresses, among others. In BBVA’s case, they do not mention or define a difference regarding biometric data from the other sensitive data they manage. As such, I can infer that it is managed as any other sensitive data and they can be compromised at any point of the chain, from the device to the data storage.
One would think that if the risk is the same but the security increases, then the tradeoff is acceptable or even a net gain.
It’s not, because in contrast to a password or a token, the face map cannot be easily replaced. This gets even more complex where in certain instances biometric data is considered personal and sensitive, thus covered by different laws and civil rights.
Here, not having clarity on how this data is handled, is where I can’t trust the system yet. Even more so when the app is conditioning its usage in exchange for the face map.
“But Rafa, this information is already out there if you have ever uploaded pictures to the internet, used an instagram/snapchat filter or applied for a Visa.”
True, many faces are already stored in some database somewhere, probably by using a 2D method. Their use, acquisition or exchange could be considered illegal nonetheless, limiting it to malicious usage. As such, it just strengthens my argument of facial recognition not being the holy grail of security it’s purported to be.
Additionally, they are still low definition maps, stored independently across different systems with no data crossing available, further limiting what can be done with it still.
The biggest difference here is that I would be granting biometric data to a database that already has personal, fiscal and financial data of me, inherently accepting the usage of a technology that currently has no defined standard that backs up the security and management of that data.
This is why at this point, I’d rather not give it to BBVA.