Facial recognition: myths and realities

Facial recognition, a technological advance that has been the talk of the town in recent years. Spirits are running high, opinions are forming and opposing; sometimes even a form of fear is being felt. So why so much divergence?

From fiction to documentaries on the use of face recognition, there seems to be only one step. This is where the confusion begins. How can we inform the public and give them a complete and concrete understanding of face recognition?

We take a look at the most common myths surrounding this technology and their realities.

Myth 1: Facial recognition is easy to fool

Fact: In essence, facial recognition technology is based on a factor that is unique to everyone: their face. In theory, it seems impossible to "fake" a person's face. So why isn't this system seen as a guarantee of perfect security in a connected world? Because no system is infallible and, logically, the techniques for circumventing it have multiplied and improved as its adoption has grown.

In recent years, several techniques have been developed to fool facial recognition technologies. These include presentation attacks or "spoofs" (printed photos, pre-recorded screenshots or video selfies, 3D masks) and, more recently, injection attacks and deepfakes. But where there are attacks, there are countermeasures in place to block them. This is where it's important to evaluate the different types of facial recognition technologies in terms of their ability to reject fraudulent sessions in specific cases.

To achieve this, today's sophisticated biometric authentication systems include liveness detection. It allows to check whether the person whose identity is being verified is actually physically present in front of the camera. "Liveness" detection can be active (e.g. the user must blink or turn his head), or passive, using artificial AI that analyze the video stream for signs, if any, that they are not from a real person, such as the detection of paper, digital screens or a 3D-printed mask.

→ "Active" methods are visible to the user and de facto more easily studied and circumvented by an attacker

→ Whereas "passive" liveness detection is faster, less intrusive and includes more advanced techniques for determining the presence of a living person.

For sensitive use cases where identity verification stakes are high, such as banking, a solution that combines several live detection and anti-spoofing methods is ideal.

Myth 2: Biometric authentication means privacy invasion

Fact: The most widespread myth concerning facial recognition is the Government control and intrusion into private life. Indeed, various series on platforms such as Netflix, featuring the use of facial biometric technology for cases of state control, remains engraved in the public mind. Surely you've heard of the series Black Mirror? Of course you have. In episode 6 of season 3, "Hated in the Nation", several situations show the use of Artificial Intelligence for dubious purposes.

In reality, it all depends on the governments in power, their agenda and the type of relationship they maintain with their respective populations. In France, as in Europe, legislation is designed to prevent systematic, dictatorial control of the population. The data collected is used on the basis of consent, as mentioned in the information report created by the Senate's law commission in October 2020.

More specifically, facial recognition technologies used in authentication applications are "opt-in" use cases, where a user voluntarily registers with the system to facilitate account login or benefit from additional security. This situation is different from that of the facial recognition technologies often in the news, where the technology has been used in public spaces, and where individual consent is not conditional.

Most importantly, facial biometric authentication does not store reference photos or video selfies for identification purposes, but rather creates a mathematical representation of the face. The reference one is kept for comparison purposes when the user logs in, is generally encrypted and essentially useless to an attacker.

Myth 3: Facial recognition is just a tool to unlock a smartphone

Fact: Although some smartphone brands offer facial recognition for unlocking phones, there are several other use cases that are little known. Indeed, the technology itself is designed to maximize security when accessing online services. With the fast deployment of new technologies and new business models, the simple use of passwords is becoming obsolete and even tedious. Here are just a few examples of how facial recognition can be used:

1. Identity confirmation/verification

One of the most common use cases is the use of facial biometrics to verify customer access to online platforms. For example, if you want to open an online bank account, some banks like Revolut or Floa Bank use facial recognition for identity confirmation. You upload your ID to the platform, then you're asked to take a selfie. The facial comparison system ensures that the person in the document photo is actually the one opening the account. In other parts of the world, such as Asia, there are various use cases, the most popular is payment by facial recognition. In South Korea, it's a widespread use that has been endorsed by the population. If you're traveling in South Korea, you'll be able to visit a store without checkouts or sales staff. It's a self-service store where you can pick up any items you like, and your bank account will be automatically debited on presentation of your face.

With Covid-19 and lockdowns, online transactions have increased the risk of fraud. Those involved in identity theft are becoming experienced, and are always finding grey areas to exploit. Facial biometrics would be the best solution for complete security.

b. Day-to-day protection

In some Asian countries, the narrative around facial biometrics revolves around the citizen's security. It's debatable how much control these governments exert over their populations, but crime and aggression are better controlled than in other parts of the world.

The same applies to anonymity on Internet, particularly on social medias and discussion forums. Indeed, harassment is on the increase, and many cases of suicide have been recorded. It has become a habit for some people to hide behind pseudonyms to verbally assault others with impunity. These people take no responsibility for the psychological damage caused. This could change with a facial recognition identity verification system for every online account created, which would identify every individual. It's not a question of monitoring interactions on networks, but of ensuring that each user takes responsibility for his or her actions.

In this spirit of security, people are defending the integration of facial recognition technology into their daily lives. We can see two very distinct visions regarding the adoption of this new technology: in Europe, the desire to maintain and protect privacy; in Asia, the common good takes precedence over individual freedom.

It's not a question of judging who's doing better, but rather of learning from each other and taking the necessary steps in everyone's interest.

c. Boarder control

A few years ago, we witnessed the rise of biometric identity documents. A new security measure to guard against the common forgery of official documents such as passports, identity papers, residence permits and driving licenses. In France, for the period 2001-2002 alone, the Ministry of the Interior recorded 10,712 falsified identity documents. In Spain, the figures are similar to those for France, with 8,614 forged and falsified identity documents, not counting the 963,951 lost and stolen documents. Criminal networks are specializing and becoming true experts in the field.

Today, the most important thing is to be able to improve control tools, and facial recognition technology would make a real contribution in this area. In the same way that fingerprints are recorded for biometric passports, it would be possible to add facial recording, which would be systematically checked at every border checkpoint. Checkpoints equipped with facial recognition technology would verify the identity of each individual by comparing the photo on the ID document with the database containing biometric records. This database would be accessible only to the relevant authorities, and its use would be governed by strict legislation.

d. Facial recognition: justice, legislation, state security

Facial recognition for border access would be an additional guarantee of security, particularly to prevent terrorist attacks. Take the case of Spain, which adopted a facial recognition system following the attacks by ETA, the Basque pro-independence movement, which claimed several victims on March 11, 2004 in railway stations near Madrid. Since this incident, Madrid's bus station has been equipped with surveillance cameras featuring an integrated facial recognition system. In view of the increased risk of terrorism, this use case is certain to become more widespread in the years to come. Facial biometrics used to prevent insecurity would make investigations easier in the event of an incident. Indeed, the justice system is sometimes considered too slow, with actions taking a long time to materialize, and this undermines the stability of states. Checking people's comings and goings at stations and airports in no way constitutes a control of the population or an intrusion into people's private lives, but simply an additional and highly effective protective measure.

Myth 4: Facial recognition is only developed by American or Asian companies

Fact: No, the development of facial recognition technology is not reserved for just a portion of the world's population. It's true that the world's biggest tech companies are based in either the USA or China, but the skills are also to be found close to home, in Europe and even in France. A number of European and French start-ups are developing powerful high-security technology designed to improve users' everyday lives. Among them, Unissey occupies a prominent position, and is surely the most certified of all facial biometric technologies developed in Europe to date.

Two types of technology have been developed:

• Liveness detection, to ensure that the person behind the phone is alive and well;

• Facial comparison for 1:1 verification (presentation of a photo against another photo to check the match) or 1:N for identification (presentation of a photo against a database to find a match with those present in the database).

Expert engineers are constantly refining AI algorithms to deliver the best experience for customers and end-users.

Whether in the USA, China or Europe, the aim of deploying such technology remains the same: to provide secure access to various online services and interactions. The digital era requires Governments to take precautions regarding technological sovereignty on their soil.

Myth 5: Facial recognition is remotely controlled by humans

Fact: What might be possible in a SF movies is generally impossible in reality. Facial recognition is a technology developed by AI algorithms. Of course, humans are the one who manipulate and train the algorithms to be robust and achieve near-perfect levels of performance. However, the popular belief that humans are crammed into a large room behind their computers checking or "monitoring" who's doing what is a completely mistaken belief. Why is this? The first reason is that the data collected cannot be freely exploited. In France, legislation requires that this data be deleted after eight days. If the amount of data to be analyzed is anything to go by, there aren't enough people available to operate all the cameras equipped with facial recognition systems.

Myth 6: Facial recognition doesn't work on a changing or aging face

Fact: The human face has unique and unalterable characteristics. Indeed, one of the worries about facial recognition is that the face won't be recognized when we age or change sex, for example. The human body is perfectly equipped to avoid such errors. Features such as the distance between the eyes, the length of the nose, the shape of the cheeks, the depth of the eye sockets and the width of the jaw are unique to each individual. No matter what changes may occur over the course of a lifetime, these characteristics remain unchanged. For example, a 30-year-old who has had the same ID since the age of 18 will always have a 99% match with facial recognition algorithms.

A few isolated cases may occur, but these are very rare and often due to poor training of the algorithms. Take the case of transgender people, who are incorrectly categorized in 30% of cases. According to the researchers, this is due to a lack of training of the algorithms, which tend to confuse a man with long hair with a woman in the majority of cases. Algorithm training needs to be reinforced with data from suitable populations to avoid bias.

Conclusion

Although recent surveys show that the public is becoming increasingly comfortable with the use of biometric authentication (particularly in the banking sector), some people are still reluctant, and question the security of this system. A perfectly legitimate reaction, given the rapid deployment of new technologies. A period of adaptation is needed to educate people about the creation, operation and use of these technologies.

The first and most important step is to eliminate preconceived ideas about facial biometrics. Without going into evangelism, the aim is to share real information about the advances this technology will bring in terms of individual and collective security.