Why You Shouldn’t Use Your Face As Your Password

Facial recognition biometrics (Photo Credit: www.shutterstock.com)
Facial recognition biometrics (Photo Credit: www.shutterstock.com)

by John Callahan | Facial recognition

Companies like Apple and Samsung are replacing fingerprint scanners on smartphones and tablets with facial recognition systems. While that makes design sense, does it also make security sense?

What’s driving this change is the desire to make a premium phone with what is known as ‘edge-to-edge’ display. This means the front of the phone is just screen, free of the frame (known as bezels) around it. However, without bezels, there’s no place for the fingerprint sensor on the front of the phone. Samsung and others have tried moving it to the back of the phone.

On the Galaxy S8 and others, it’s right next to the camera lens which frequently gets smudged when using it. Also, it’s just not as convenient as on the front of the phone. With consumer tech security, convenience is everything.

The other possible solution is integrating the sensor into the screen itself. That has turned out to be no simple thing.

First, they need special screens to do this. Second, sensing the fingerprint beneath the glass of the display makes it significantly harder to get the quality of the image needed.

Until that issue is solved companies are turning to facial recognition to get the job done. Does it?

Unfortunately, there are problems inherent in both technology and faces that suggest the answer is no.

The first is that unlike fingerprints, faces change. This can be the result of age, facial hair, illness, and/or gaining weight, it doesn’t matter – they all make it more difficult for facial recognition to work well. And this is before you get into the very well-documented problems facial recognition has with race and gender.

On the technology side, the big problem comes down to lighting.

Cameras on the screen side of phones aren’t as powerful than those on the back. This makes them more reliant on good lighting to produce a quality image. Backlighting in particular poses a big problem.

Apple’s iPhone X used special illuminators to counter this with varying degrees of success in its FaceID system. Some reviewers reported having problems using it in direct sunlight but noted that overall it performed better than expected.

Samsung is hoping to improve facial recognition by including a type of iris scanner with its latest devices. The entire system is named “Intelligent Scan” and includes what the company calls Eyeprint Veri­fication.

It works by first scanning your face and then moving on to the iris if authentication initially fails. If conditions aren’t great for using either of those, it then combines them to unlock your device. It isn’t clear from the company’s literature whether this system uses true iris scanning, which is very secure.

However, it is telling that the company is choosing to include a second biometric recognition element rather than just relying on facial.

Facial recognition is likely the easiest type of biometric to spoof. Early versions on phones were fooled by a photograph.

Apple’s FaceID now uses 3D depth maps to register and verify the physical features of the device holder. This makes it considerably harder to fool at it requires hackers to reproduce a physical representation of a target’s face. It also uses machine learning to analyze your expression whenever it sees your face, this allows it to determine whether it’s an authentic unlock attempt.

Further, it doesn’t work if you’re not awake. Even with all that Apple still provides another security check, requiring a good, old-fashioned pin code to prevent someone from siphoning data from a phone unlocked with FaceID.

The ubiquity of photographs means that likely as not there’s a photo of you on the internet, accessible by anyone who cares to look for it. Because phone cameras keep improving it is even likely that these photos are high-resolution. That makes it much easier for someone you don’t know to develop a spoof that can fool a facial recognition system.

By contrast, few of us have fingerprint images available online and far, far fewer (possibly none) of us have iris or retinal scans online.

All of this is why people should definitely hesitate before going over to any system that relies solely on facial recognition. Facial works best a part of a multi-factor authentication approach. Even then, though, it is a far weaker factor than either fingerprints or iris and retinal scanning.



  1. Stop talking bullshit to get views . It ya been proved that 3d facial scanning is way way secure than finger print scanners at any given point of time . 3d facial scanner takes into account lot more Data point and sets to create a passcode to unlock unlike fingerprint sensor which has fewer data sets . The fact that the iPhone can learn your face as it changes counters your given arguement too. It is also easier to replicate a fingerprint than to replicate a 3d scan of your face spending 100s of dollars . Bullshit article

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.