When Apple introduced the iPhone 5s in 2013, its built-in Touch ID launched the race to invent creative, personalized passcodes. Sure, the old-fashioned password model had worked for decades, but why not opt out of the finger-tap tap-dance of having to remember (and type) a login? Apple’s Touch ID offered up the fingerprint as a means of authentication, but that was just one early, outward sign of companies’ growing interest in biological data. From voice timbre to body movement patterns to the rhythm of your heartbeat, the human body offers a half-dozen sexier, less hackable ways to key in a passcode.
Biometric authentication apps are booming. In 2015, users downloaded 6 million such apps, according to data by Juniper Research, and by 2019 that figure is expected to hit 770 million. What’s more, starting next year, all smartphones will include built-in biometric capabilities, according to research firm Acuity.
Nowhere is the progress in biometrics more dramatic than in camera phone technology, says Phil Dunkelberger, CEO of the security platform Nok Nok Labs. Mobile makers have been gearing up to sub a relatively old technology into the authentication mix: the smartphone’s most beloved and ubiquitous byproduct, the selfie. In a landmark demo in 2015, for example, Alibaba CEO Jack Ma showed off how he could mug for his phone’s camera to authorize a payment.
Snapping a selfie to gain access to a sensitive app or issue a payment may sound fun and on-trend, or it may seem like a silly stunt. In fact, it signals the beginning of a broader trend in which phones construct detailed biological and behavioral portraits of their users. A photo alone is never going to be enough to affirm identity. Instead, our phones will have to capture a plethora of data about the way we live our lives.
Just as a credit card company flags a sudden shopping spree in Tahiti, mobile makers are now teaching our devices to notice subtle signs of authenticity — or a hack. In the not-too-distant future, our phones will be able to register if we veer away from our daily activities, or flick our hand in an unusual way. It’s a shift that mobile makers believe we’ll be happy to make, for the convenience of saving a swipe.
“I have a strong dream to help small businesses,” said Alibaba’s Jack Ma. It was the tail end of his presentation at the annual CeBIT tech conference in Hannover, Germany. Just two years after Apple introduced Touch ID, Ma was announcing a technology that would transform taking a selfie on your phone into a security step — a way of validating your identity to complete an online purchase.
Behind him was a giant projection of a smart phone; on its screen, a 1948 commemorative stamp, on sale through Alibaba’s e-commerce site for 20 euros. The vintage stamp hovered dramatically behind him. All Ma had to do, he told the audience, was smile at his phone and that would be enough for the company’s new facial recognition tool to validate his purchase.
With his smartphone, Ma snapped a selfie, which was projected on the wall behind him. His face was outlined by a white line that flickered with recognition. Amidst a dizzying light show of running code and graphics, his purchase went through. In six days the stamp, a gift, would arrive at the local mayor’s office, he told the crowd.
Like Touch ID, the technology worked through biometrics: it created a unique biological measurement of a person’s facial structure and features based off an image, which is transformed into a digital record. The system could validate a payment simply by taking a photo, whose measurements match those stored on the device.
“Smile to Pay” he called the tool, a feature that would make biometric facial recognition a technology merchants big and small could use through Alibaba’s mobile payment platform, Alipay. The tool offered the opportunity to transform our bodies into forms of payment authentication on our handheld devices, in a moment that Ma lauded in his speech as the beginning of offering biometric identification technology to the masses.
Today Smile to Pay is used not as a way to pay but as a login authenticator in Alipay, the mobile payment subsidiary of Alibaba. Nonetheless, since 2015, a flurry of consumer-facing alternatives across financial services have begun using facial recognition as an authentication tool, in the hopes of replacing passwords with a sleeker, more secure alternative.
In March 2016, a year after Ma’s presentation, MasterCard piloted a corporate credit card in partnership with Bank of Montreal that used facial recognition to verify users’ identities in order to complete purchases. That biometric “selfie” technology, Identity Check Mobile, which launched across Europe last October and in Brazil and Mexico one month later, uses FIDO encrypted biometric data, stored on users’ individual devices, as a security measure against hacking.
Around the same time last March, Amazon applied for a facial recognition technology patent that would make it possible to complete a purchase by using facial recognition rather than typing in a password to validate one’s identity.
With the underlying technology in place, the focus today is squarely on protecting facial recognition from getting hacked and making the user experience a more seamless one. The technology has certainly improved since Android released its easily hackable “Face Unlock” feature in 2011, which could be opened by snapping an image of a photo instead of a face. Authentication systems like BioID, for example, now use “liveliness detection” to create 3D renderings, so you can’t simply replace a live face with a 2D one.
Still, hackers have found ways to break into even advanced authenticators. Last August, a group of researchers from the University of North Carolina at Chapel Hill broke past face liveliness detectors with 3D rendered models of faces constructed from social media profile photos. They didn’t just fool a single authentication system; all five of the systems they tested fell open to the virtual reality renderings.
In response, the technology has become even more sophisticated— using iris detection, eye blinking signals, human infrared signals and even heart biorhythms as a unique indicator of a person’s identity, according to Gary McAlum, chief security officer at USAA. These biometric measures work much in the same way a fingerprint or selfie reader would, gathering unique data points about a user that are then recorded, encrypted and played back each time an authentication is attempted, to detect a match.
The reason companies are bending over backwards to secure facial recognition is not because it’s less flawed than keyed-in passwords, but because it’s convenient to use, says Birch. In the coming age of selfie pay, what’s most crucial will be implementing more passive back-end authentication—so that your phone can detect if, say, you’re holding it in your right hand when you’ve always been left-handed, to make sure a transaction is indeed valid.
“We are going to move…to more passive biometrics,” he says. “You have software on the phone that looks at how you hold your phone with your fingers, how you tap it, where you normally go to buy a cup of coffee.” It’s these more passive authenticators that will help make sure something like a picture or a fingerprint lines up with the rest of the unique data your device has gathered about you over time.
Meanwhile, device makers will need to keep up, developing new ways to embed hardware that helps smartphones better detect and learn from signals. Last January, for example, Google announced a new partnership with the chipmaker Movidius that would include a chip embedded in phones that helps image recognition. And the FIDO Alliance, which launched in 2013 with six members, now has closer to 300 participants including big players like Alibaba, Microsoft, Google, and Samsung, says Dunkelberger. Like SSL technology, which helped create the secure connection between web server and browser that ultimately popularized e-commerce shopping, Dunkelberger sees FIDO as a way to ensure biometric data is securely encrypted on users’ devices.
The progress that’s taken place in the two years since Ma snapped a selfie is particularly obvious at this year’s CeBIT global conference in Hannover, which starts March 20. This time, presenters will advance not one-off authentication systems, but the much more complex idea of biological portraits on our phones. Ho Chang, CEO of BioID, a biometric authentication provider, for example, will focus on why combining multiple biometrics like face recognition and voice authentication can help make a technology like selfie pay safer to use.
“This is not Mission Impossible,” says Birch. But, he cautions, “you need to see biometrics as a convenience technology, not a security technology.” That’s the bet mobile makers are making: that we’ll bond ever more closely with our devices for the convenience of forgoing a password.
