Facial recognition, the alpha and omega of digital identity for payment?

As a preliminary, it is useful to recall what facial recognition for digital identity purposes is : a process that compares a template representing certain characteristics of the face, captured by a selfie or a video, with one or more reference biometric templates (scan of a photograph of a document, digital data in a database or in a chip. The commercial development of facial recognition has accelerated in recent years with the concomitant development of video surveillance cameras and smartphones.

This facial recognition process may be for the purpose of:

• biometric identification of a person, by comparing the newly captured image of the person with all reference data collected from different individuals (so-called 1/N comparison);
• biometric authentication d’une personne,
• of a person, by comparing the newly captured image of the person with a reference data of this person (1/1 comparison). When the comparison is performed within the chip of a physical medium held by the person, the authentication is called Match-On-Card (MOC).

Whether by the CNIL or the  European Data Protection Board (EDPB), the captured facial image, the template or any result of their technical processing, are all considered as data under Article 9 of the GDPR, i.e. so-called “sensitive” data. Their processing is in principle forbidden, except in exceptional cases.

For commercial use such as payment, the individual’s express consent is considered an exception. However, this consent does not mean compliance with the GDPR.

• The purpose of facial recognition processing must not exceed the red line described by the CNIL in its 2019 guide on facial recognition: the requirement of proportionality of the means with regard to objectives deemed legitimate.

• The EDPB specified in a January 2020 opinion that an alternative solution should be offered to the person, without biometric processing, and this without additional constraints or costs. The new guide of January2021 of the Convention 108 (at the origin of the founding texts of European laws and regulations) is in line with the EDPB opinion:

“In order to ensure that consent is freely given, data subjects should be offered alternative solutions to the use of facial recognition technologies (for example, using a password or an identification badge) that are easy to use as, if it appeared to be too long or complicated compared to the facial recognition technology, the choice would not be a genuine one.”

Furthermore, all authorities agree that the private sector (including payment or retail) cannot use so-called Live Facial Recognition in an uncontrolled environment (e.g. shopping mall, public space) that couples video surveillance with facial recognition technologies to identify them.

Use cases related to facial recognition identification for payment:

In some countries, proximity payment solutions using biometric identification are offered, with the face replacing the bank card. In Asia, facial recognition as a method of payment has become commonplace and is easily accepted by customers. The two Chinese giants Alibaba and Tencent are the pioneers.

Facial recognition identification is also deployed by banks in Singapore, but using the State’s digital identity solution, which relies on a centralized biometric database, whether for ATM withdrawals or payments. In this respect, the TikTok video, which has gone viral, of a payment fraud calls into question the reliability of this solution, at least for a proximity customer journey.

However, the context of COVID-19 has made this technology inoperable due to the mandatory wearing of masks in stores, as in the United States. In Western Europe, the security of storing biometric data in the cloud and the protection of privacy are the main concerns and may even lead the authorities to ban the solution.

Thus, in Europe, the EDPB and the CNIL consider that the template should be under the sole control of the persons who have given their consent, preferably on a physical medium that belongs to them, or even in a database, but then encrypted and whose key is under the control of these persons.

This means that this type of payment process using biometric identification for local or remote payments may not be recognized as legitimate during the validation process of the privacy impact analysis by the national authorities in charge of privacy protection.

Use cases related to facial recognition authentication for payment: 

Facial recognition for authentication, on the other hand, can more easily meet this objective of proportionality and legitimacy after consent.

Facial recognition authentication is a sine qua non of a 100% digital path to open a bank account to comply with the AMLD regulation. If the customer does not consent to the capture and processing of facial recognition, he or she will be able to go to a branch to verify his or her identity face-to-face, even for a path initiated remotely. Remote customer identification involves a facial recognition step between the person behind the PC or smartphone camera and the photo, either printed or stored in the ID document chip. This remote facial recognition should allow the same level of risk as face-to-face. The ANSSI has just issued a new standard called PVID, which should come into force on April 1^st  2021. In addition to a video stream for facial recognition with a qualification of the detection of life and the resistance to fraud, this specification requires a systematic human validation.

Facial recognition authentication is an option in the RTS/PSD2 compliant path to access one’s online account or initiate a payment. Indeed, strong authentication must proceed through a dynamic authentication resistant to man in the middle attacks, coupled with a two-factor authentication (2FA), to be chosen between the possession factor (such as a card, a PC or a mobile), the knowledge factor (such as a password) and the inherence factor (such as facial recognition). In addition to the possession factor, inherence is often promoted commercially by many players as a more user-friendly and secure solution than the password factor.

User-friendly, certainly, because there is no need to remember a complex password. But what about security? Vulnerability is mainly related to human error, the security of facial recognition authentication is related to the technology itself: It proceeds to a calculation by comparison algorithms. The comparison score is therefore not an absolute answer but a probability calculation.

This estimate is highly dependent on the technology, but also on the settings selected by the provider and therefore on the associated margins of error (false acceptance rate (FAR), and false rejection rate (FRR)). These margins of error are even greater when the origin, skin color and age of the individuals are taken into account. These demographic biases particularly affect black women.

Moreover, facial recognition can be vulnerable to more specific attacks than for a password (entrapment, coercion). In addition to attacks on the user’s appearance in the physical world (mask, makeup, etc.), fraud by digital means with a virtual mask is becoming accessible to non-experts; and experts are refining their expertise in injecting fraudulent photos or videos of an existing person’s face to replace captured data in order to impersonate them.

What do the experts think?

According to biometrics experts surveyed by Findbiometrics in 2019, 25% believe that biometrics will never replace the password and that authentication security is about combining different security.

The European eIDAS peer review only granted notification at the high level to Itsme and Latvia’s mobile identity solution on the express condition of non-biometric authentication. The March 2020 ENISA report highlights the issue of security/reliability of biometric sensors on mobiles, which vary greatly in quality from one manufacturer to another.

What do French users think?

Renaissance Numerique’s December 2019 study indicates that for more than 40% of users, facial recognition is an important but not critical technology for secure authentication and faster usage; one-third even consider it secondary.

Facial recognition is therefore a powerful technological tool for authentication, whose technological maturity does not allow us to ensure absolute confidence in its results, nor even infallible security, but which requires societal acceptance beyond ease of use. .