Mobile Based Biometrics
MasterCard recently announced a selfie-based authentication product. I've been working on our selfie authentication product for a while so I wanted to talk about some of the technical issues surrounding mobile-based biometrics in general, including faces, fingerprints, irises, voice, gait, ear, whatever.
For this discussion I need to explain a couple of simple things about how biometrics work. Contrary to what you see on movies and TV, computers don't use images for matching. They convert the image into a mathematical view of an image called a template. For example, in this image, the red is a representation of a fingerprint template:
The red points are they key points of interest in fingerprint - the points at which the ridge lines end or split. Most fingerprint matchers add in a little more information than just these points, but the bulk of the image data is discarded because it isn't needed for matching. You can't take a template and generate an image of the fingerprint it came from. That will be important in a second.
When you want to match a biometric on a device like MasterCard or Apple does, then you have a few choices:
1) All on device
This is how the iPhone fingerprint matcher or Android face matchers work. Nothing ever leaves the device - the collection of the enrollment biometric is done on the device and the matching is done on the device. This has the maximum privacy, but it is subject to manipulation on the device itself. It is the most complex to deploy because complex extraction and matching software much be deployed and tested on each device. However, a wily hacker can manipulate the software to accept the wrong image. This isn't a concern the way iPhone/Android use biometrics to unlock a device - if you have access to it such that you can hack the software, you don't need to unlock it. But it could have issues with presenting a successful biometric to a third party, as part of a payment process for example.
2) Templates on device, matching in cloud
To get around this problem, companies like MasterCard do the matching in the cloud. They do the enrollment of the good source image on the device and store it safely in the cloud. This allows them to keep the matching process safe from hackers (well, most hackers, anyway). You can't fool the system by injecting the wrong template because it won't match the good record stored in the cloud. This does require the installation of complex extraction software on the device, but not matching software. This solution is efficient in terms of bandwidth because templates are much smaller than images. This solution appears to help with privacy because images are not sent to the cloud, only templates. And you can't go from a template back to an image. I think this is misguided, but I will get to that.
3) Images on device, templates and matching in cloud
The third alternative is to simply send images to the cloud and do the template extraction and matching there. The advantage of this approach is that the complex software is in the cloud where it can be easily updated and improved. Since the data needed is simply an image, any device that can capture an image can be used.
The third option might appear to have less privacy than the second solution, but that doesn't really make sense. You wouldn't be sending templates to a company that you didn't already have a relationship with, so why would you be concerned about sending them a picture? The connection itself is encrypted, so someone can't intercept the communication. And most people have their image available online somewhere anyway, so why they would be concerned about a company having it in order to validate them?
From one of the interviews on the MasterCard product:
"Those ones and zeros have got to be protected,'' cyber security analyst Theresa Payton told TODAY. "That is information that, candidly, belongs to me. That's now out of my control and could potentially be used by a hacker."
I'm a huge privacy advocate, but I have never understood why people think an image of their face is somehow something that needs to be protected. I can understand not wanting to have your picture taken without your knowledge, but your face is something you are broadcasting all the time anyway. There is only so much you can do to truly protect it aside from living your life in a cave.