'Security Selfies' May Make Passwords Obsolete

Amazon recently filed a patent for new security technology based on selfies. Elizabeth Fernandez G./Getty Images
Amazon recently filed a patent for new security technology based on selfies. Elizabeth Fernandez G./Getty Images

Taking selfies with your smartphone camera has become a virtual obsession for everyone from teenagers to politicians. But some big companies think that such snapshots could eventually replace passwords and other forms of electronic identification. At its Sept. 12, 2017 Apple Event, Apple announced that its new iPhone X and iPhone 8 models will use a facial recognition security technology called Face ID in place of a fingerprint or numerical password.

Of course, Apple's not the first to sport such a feature. In late 2015 credit card giant MasterCard began test-marketing a technology called Identity Check — or "selfie pay," as it was dubbed by CNN — which allows cardholders to authenticate payments using either a fingerprint or by taking a selfie with their phones and transmitting it to the credit card company, which will run it through facial recognition software. 


In one trial involving 750 Dutch cardholders, 92 percent found the new system more convenient to use than passwords, which can be easy to forget and almost as easy for thieves to guess. (Check out a list, compiled a few years back, of the 25 most-used passwords.) MasterCard expanded its IdentityCheck in the summer of 2016. One MasterCard executive told Business Insider that he expects selfie pay to make passwords obsolete within five years.

Apparently not to be outdone, in early 2016 Amazon filed a patent application for its own version of selfie pay, something called "image analysis for user authentication." According to the application, Amazon's system would require a user to launch an app and then snap a picture inside a box, which will then be transmitted to the online retailer. Software algorithms will analyze the image, looking at details such as the contour of a person's head and the size, location and relationship of facial features. That info then will be compared to a file image of the Amazon user.

While the application primarily describes the technology's use with smartphones, it also apparently will run on other devices, such as laptops or tablets. (Amazon didn't respond to an email request for more information.)

Advances in facial recognition technology make selfie pay possible, according to Anil Jain, a computer scientist and expert on biometric identification at Michigan State University. Provided that a person takes a reasonably sharp photo in good light, stares straight ahead into the camera, takes off obscuring stuff such as sunglasses or scarves, and doesn't make a goofy facial expression, the ability of software programs to recognize faces has improved to the point where it can authenticate a person with close to 99 percent accuracy, Jain writes in an email.

"Accuracy of a face recognition system depends on the quality of face image," Jain says. "The higher the quality, the higher the authentication accuracy. "

Jains says that face image quality is typically measured in terms of pose, illumination and expression — collectively called PIE. Aging, weight loss and facial hair also can play a role in accuracy, so you'll probably have to update your file picture fairly often.

Full Width
You'll have to lose the fashion accouterments and goofy expressions for facial recognition security selfies to work.
Verity Jane Smith/Getty Images

But how impervious will selfie pay be to hackers and scam artists? Jain says the big risk is "spoof" attacks, where a malicious person tries to impersonate the genuine user using a printed photo, a digital video (Reply-attack) or a mask (3D-mask attack).

"[Spoofing] is a major security risk as a malicious person can easily obtain a user's photo via social media websites and unlock his device," Jain said.

Amazon's system, he notes, contains a number of possible measures to thwart such attacks. The selfie is just the first stage in the identification process. Amazon 's system then will switch to video and prompt the user to perform one or more actions. The user may be asked to "smile, blink, or tilt his or her head." Amazon's algorithms will analyze those movements and evaluate whether they seem like they're being performed by an actual person — as opposed to, say, a computer-generated video clip created by a hacker who stole your picture from Facebook and then grafted it onto his body. If that's not convincing enough, Amazon's technology may also look at the heat given off by the user.

But one problem with such measures is that they could slow down authentication. So we'll have to see whether selfie pay turns out to be more convenient, or whether we'll all be wishing we still had fingerprint scanners, passwords and PIN numbers.