Companies Try Out Selfies as Password Alternatives

Facial-recognition apps use smartphone snapshots to verify identity of customers, taxpayers

Selfies, long derided as a symbol of narcissism and oversharing, have found a more serious purpose.

Companies and government agencies—ranging from the ride-hailing service Uber Technologies Inc. and credit-card giant MasterCard Inc. to the Alabama Department of Revenue—are asking people to snap self-portraits on their smartphones as proof of identity.

As the quality of smartphone cameras improves and facial-recognition software becomes more affordable, the digital future might involve fewer convoluted passwords and more selfies. But there’s a downside: some cybercrime experts worry that people might be too quick to offer up their smiling faces, saying the technology is rife with privacy and security concerns.

“People see this technology and presume that it is automatically safe, but in the end, it all just comes down to math,” said Marc Goodman, a global security consultant. and author of the book “Future Crimes.”“There is nothing safer about [facial recognition], except that it rules out the challenges of password management.”

Facial recognition is part of the wider field of biometrics—the analysis of human physical characteristics including fingerprints, eyes and voices, mostly for security purposes. The technology is designed to help combat fraud and make it easier to digitally verify someone’s identity.

The authentication process typically starts with an app that asks users to snap a photo of themselves every time they do something online like make a purchase or file their taxes. Software uses the photo to make thousands of facial measurements, such as the width of the nose or the curve of the jaw, and converts them into a string of numbers to create a unique ID code. Then, it compares the code to a reference photo that the person has left on file. A highly probable match verifies the person’s identity.

The technology’s accuracy is far from perfect. Shadows, low lighting or facial hair can confuse the software. Underscoring the shortcomings of facial recognition, Alphabet Inc. ’s Google unit sparked an outcry last year after its Photos app misidentified two black people as “gorillas.” Google apologized and said it was tweaking its algorithms to fix the problem.

Another drawback: As hackers get more sophisticated, they might find biometric data more valuable—and permanent—than passwords. A face or fingerprints, unlike a password, can’t be easily altered.

In 2014 and 2015, hackers stole a total of 5.6 million fingerprints of current and former federal employees from the U.S. Office of Personnel Management. An OPM spokesman said at the time that “federal experts believe that, as of now, the ability to misuse fingerprint data is limited,” but he added that “this probability could change over time as technology evolves.”

Still, some companies are forging ahead with identity verification programs based on selfies.

Last month, Uber said it would periodically ask its drivers to take their own photo before accepting ride requests. The Uber app then runs the selfie through Microsoft Corp. ’s cloud-based Cognitive Services software tool, which uses an algorithm to see if the photo matches one on file. Uber said that some mismatches occurred in its tests over the past few months, mostly due to bad photos used as reference shots. But it said it was able to verify the identity of 99% of its drivers.

ENLARGE

This month MasterCard launched an app called Identity Check Mobile that encourages customers to authenticate themselves with selfies when using their credit cards online. During a transaction, a customers receives a text message that opens an app and asks the person to look into a digital frame on their smartphone. The app requires the user to blink so no one can beat the system by substituting a printed photo.

MasterCard, which is starting the program in Europe, said 92% of the customers involved in its pilot program want biometrics to replace passwords for their mobile-banking logins.

Last month, British bank HSBC Holdings PLC started a similar program that allows customers to open an account using a selfie, which the bank compares to a driver’s license or other photo ID uploaded by the customer.

Local governments also are jumping on the bandwagon. Later this year, the tax departments of Alabama and Georgia plan to use an app created by identity-protection company MorphoTrust USA to authenticate tax returns filed online. It will compare selfies of the filers against their photos in the Department of Motor Vehicles database.

Behind the scenes, companies that use facial-recognition software bear the burden of keeping the data secure. Some companies, including MorphoTrust, keep an individual’s biometric data on their app, rather than store it on a company server.

Others, such as MasterCard keep the initial photo of a face on their servers. A MasterCard spokeswoman said the original image is deleted once it is turned into numeric data and encrypted. By next year, the company aims to enable users to store the data on their mobile devices.

Tom Grissen, chief of biometrics company Daon, which is behind Mastercard’s Identity Check Mobile authentication system, said it would be difficult for hackers to use selfies to steal personal data because it isn’t currently possible to translate a coded mathematical representation of a face into a raw image.

But Jennifer Lynch, a senior attorney at the nonprofit digital-rights group Electronic Frontier Foundation, warns that hackers have their eyes on biometric data, and could find ways to make use of it. “Once it’s stolen, it’s a huge risk,” she said.