A man has the picture of his face taken by an officer at Pos Indonesia in Lebak, Banten, as part of an authentication process for his social benefit disbursement, on Feb 18, 2022. (Antara Photo/Muhammad Bagus Khoirunas)

Recognizing the Differences: Facial Authentication vs. Facial Recognition


JUNE 03, 2021

Amid increasing concerns around privacy, security, and human rights, some of the biggest technology companies have taken a stand against allowing law enforcement to use their facial recognition technology. Amazon, IBM, and Microsoft made a move as concerns surrounding the ethical use and security of facial recognition technology increasingly surface.

However, here in Asia, governments are fast embracing facial recognition technology for identity verification purposes. The pandemic has also served to accelerate digitalization efforts and the need to reduce surface contact.

The Indonesian Government, for example, is trialing a facial recognition verification system that makes it easier for residents to claim social assistance. Singapore plans to roll out such technology at major events as the economy reopens to reduce unnecessary interactions between participants.

Despite its convenience, the technology has also been met with equal doses of controversy and skepticism since its inception.

One notable case is Clearview AI, an American company that scraped billions of photos from social media without the public’s knowledge, building a near-universal facial recognition application and inciting cries of infringement on constitutional freedoms. The prevalence of facial recognition in China and its ties to China’s social credit system has also raised privacy concerns.

While the social aspects of unchecked facial recognition are concerning, the security (or lack thereof) mechanisms to keep hackers out of the servers that house the databases and the growing number of inaccurate matches (disproportionately impacting minority populations) are just as troubling.

These are genuine issues that merit debate in the industry, government, and community settings so we can figure out ways to use this type of technology without violating human rights. But the proverbial baby that should not get thrown out with the bathwater is a related but fundamentally different technology: facial authentication.

Before we go deeper, it is important to note that there are two fundamental approaches to facial — or any biometric — authentication: “match on server” and “match on the device.” The former approach shares some of the risky aspects of facial recognition technology because it stores the details of one’s most personal features — your face or your fingerprint — on a server, which is inherently insecure.

There are some well-publicized examples of biometric databases being hacked, which is why so many companies are committing only to do on-device biometrics.

Using “match on device” authentication, the facial scan compares the current face with that of the one already stored on the device — it never searches the cloud for a match or leaves the device at all. The scan simply confirms the person requesting access to, say, a laptop, a smartphone, or a particular website is who they claim to be. This approach uses a one-to-one comparison and specifically allows a user access to a machine, a website, or an application instead of taking on the risk and challenge of using a password.

Apple’s FaceID, which is arguably the most well-known of facial authentication applications, encrypts the data on a chip on the user’s device — as do Google Android biometrics and Windows 10 PCs that leverage cameras (or fingerprint scanners) for Windows Hello. This means that even if these devices are stolen or lost, the biometric scan remains secure from bad actors.

A common thread across these devices is that they all support industry-backed FIDO standards that leading service providers have developed in collaboration with leading technology vendors and will be leveraging to provide simpler and safer login experiences instead of depending on passwords that are susceptible to theft or hacking.

Opting for a more robust authentication is even more crucial in the Asia-Pacific region, a hotbed for cyberattacks where threats are 1.6 times higher than the global average. Reliable technology, such as facial authentication built upon secure biometric authentication mechanisms, must be considered to provide a safer yet undisrupted experience for the user.

Facial authentication is not only different than facial recognition; it is also the easiest and most secure method to log into your device — and soon to log into websites as well.

Andrew Shikiar is the executive director of FIDO Alliance, a multinational, open industry association focused on authentication standards.