Cover Story: Normalising facial recognition technology

This article first appeared in The Edge Malaysia Weekly, on November 16, 2020 - November 22, 2020.
-A +A

“How do you know you’re really talking to me right now, Vanessa?”

Andrew Bud, founder and CEO of iProov Ltd, an online biometric authentication company, put forward this question in the middle of our virtual conversation. He has a valid point, especially since we live in the era of deepfakes that show former US president Barack Obama spouting fake news, and Facebook CEO Mark Zuckerberg “admitting” to data breaches and countless porn videos, ostensibly starring famous female celebrities, on social media.

With technological advancements evolving at a rapid speed, hackers have also become more sophisticated in their methods of targeting and misleading victims online.

It is no wonder a large number of people are still not comfortable with facial recognition technology, although it can speed up transactions and make them more convenient. In fact, this technology is even more secure than knowledge and device-based digital security measures, which are the default security solutions at the moment.

Bud explains that, with the basic principle of multi-factor authentication, one should have at least two out of three factors that typically consist of knowledge-based authentication (something you know, such as your mother’s maiden name), device-based authentication (something you own, such as your phone) and biometric authentication.

The first two factors have drawbacks, he adds, as they can be hacked or transferred. “Knowledge-based is the weakest. The information is not hard to find. If you are a malicious site and you ask me to put it in as a security factor, you will learn it,” he explains.

Device-based authentication is much stronger, but will be an issue if the device is compromised. “What happens when you drop it down the toilet or, more importantly, if it gets stolen or lost? At that point, you cannot use your device to authenticate yourself because a possession is only useful to you as long as it’s in your possession.”

David Lim, CEO and co-founder of Wise AI Sdn Bhd, tells Digital Edge that facial recognition technology strengthens security because it requires a higher level of authentication to access a person’s account compared with existing methods.

“With facial recognition, you’re using what you have. For example, now we use an email and password to log into our bank accounts; but what if those details are exposed, which happens a lot already? With biometric authentication using facial recognition, it’ll be difficult for people to hack accounts,” he explains.

“It boils down to consent. For example, when you go to the bank and you give your thumbprint, you have already consented to give your thumbprint. So, in the future, when using facial recognition on your phone, you’re giving consent as well.”

Jim Huang, founder and CEO of Parcel Santa, a Singaporean parcel delivery solution that uses facial recognition technology, concurs. He points out that if surveillance is the concern, it has all been thrown out the window since Covid-19 hit, as people are now required to jot down their personal details when entering public premises.

“There are areas of our lives that will remain private. But let’s not kid ourselves and believe that we’re in a pod, separated from society.”

"We have noticed that strong security is taken more seriously in Southeast Asia than in countries in some other regions." - Bud

Strengthening digital trust

A strong usable digital identity is fundamental to a digital economy. iProov’s Bud says if a country has a strong, usable and inclusive digital identity document (ID) infrastructure, it can transform its digital economy because it creates trust, which is a crucial requirement for the online ecosystem.

“The creation of that trust is quite a difficult and complicated business, and GovTech (Government Technology Agency of Singapore) has done that with its digital ID platform. The key is that it wanted a method to strongly authenticate a person through their digital ID,” he says.

Recently, the Singapore government, under GovTech, extended its national digital identity programme with face verification solutions from iProov and Toppan Ecquaria. GovTech is the government agency driving Singapore’s digital government transformation and Smart Nation initiative.

Since 2018, the Malaysian government has been looking to implement a national digital ID programme under the Malaysian Communications and Multimedia Commission (MCMC) but has yet to roll it out. Wise AI’s Lim says infrastructure is not the issue, but how to get people to register their faces for facial verification.

“There will be issues with the process but, in my opinion, it has to be done. My guess is that it will take 10 years to do it here.

“eKYC (electronic know-your-customer) will be the trend for the next five years and digital ID in the next 10 years, led by the financial services players such as digital banks and internet companies.”

iProov was selected, following an open international tender. The company’s biometric authentication technology will be used for its Genuine Presence Assurance, which will enable four million SingPass users to authenticate themselves and prove that they are genuinely present when accessing online government services on computers or at kiosks. Activities such as completing a tax return can now be done with a simple facial biometric scan, replacing the need for passwords.

“There are areas of our lives that will remain private. But let’s not kid ourselves and believe that we’re in a pod, separated from society.” - Huang

iProov’s technology is simple. When a person needs to verify himself, its cloud server generates a cryptographic code that is sent to the person’s device. That code tells the device to flash a sequence of colours on the screen in quick succession and, while that is happening and the person’s face is being illuminated by the screen, a video of his face is sent back to iProov’s servers.

In the three-second video, the light reflections on the person’s face are analysed. If it reflects off the face correctly, it knows that it is a skin-covered 3D human face and not a photo. If the sequence of colours is correct, it knows the person is in front of the screen; but if the colours do not change or it is in the wrong sequence, then it knows that what was sent back is a recording.

“Nobody can predict what that sequence of colours that’s going to illuminate your face might be until it happens. The great thing is, you don’t have to do anything. You just have to look at your screen. It’s easy and intuitive,” says Bud.

“A digital ID is a set of data about someone, but it needs to be bound to someone to make sure it’s the right person, and they want a strong, robust and inclusive universal way of doing it.”

“With biometric authentication using facial recognition, it’ll be difficult for people to hack accounts.” - Lim

As iProov is based in Europe, it is subject to the General Data Protection Regulation (GDPR), which states that the company has to make very clear what it is going to use the data for and it is prohibited from using the data for anything else. Bud adds that the company has also put up a privacy firewall.

“This makes sure that no information about the identity of the user or their attributes is passed to us. So, when the Singapore government or any other customer refers to a user when communicating with us, they use a completely anonymous pseudonym made up of a meaningless string of numbers,” he explains.

“iProov never knows the user’s name, address, social security number, telephone number or anything else. All we’re doing is comparing anonymous biometric data and we don’t pass any biometric information back to the Singapore government.

“We see the user’s biometrics and know nothing about the user, and the Singapore government knows about the user but doesn’t see the biometrics, and between them is a privacy firewall. So, user privacy is very strongly protected.”

The concept is similar to that of Parcel Santa, which partners with courier companies to authenticate delivery personnel who deposit items at residential lockers. Huang shares that the technology used at its parcel lockers only encrypts a person’s facial biometrics into a code, which becomes that person’s identity. It is the code that gets recorded, not the picture.

The company started using facial recognition technology at its lockers in 2018 as a method to verify and authenticate couriers that deliver parcels to the lockers. Huang shares that security was a big concern prior to that because, out of convenience, delivery personnel shared their user ID and passwords to access the lockers. This opened up a lot of room for illegal activities to happen.

“We don’t want our lockers to be misappropriated for criminal activity such as transporting stolen goods. So, this was put in to ensure that whoever visits the lockers are who they say they are and have the authorisation to use the lockers,” he says.

“We implemented it in the majority of our lockers across the network and it has helped increase efficiency as well because, now, instead of keying in a user ID and password, it’s a two-second scan of the face and couriers can deposit the parcel immediately.”

Parcel Santa is Singapore’s only private local operator providing parcel lockers exclusively for residential communities. Huang says, typically, a courier can deliver 70 to 80 parcels a day manually but, with the smart lockers in place, they can deliver up to 320 parcels a day.

The Singapore government also recognised the time and cost savings this solution allows on top of being a contactless delivery option in the era of Covid-19. It plans to roll out these lockers in public residential areas, and Huang says Parcel Santa will work with the government in areas that it has not covered, which are essentially the private residences.

Booming Southeast Asian landscape

Southeast Asia is one of the more exciting markets for international companies specialising in facial recognition technology. iProov’s Bud says this is because consumers adopt technology enthusiastically and are more aware of privacy concerns and, thus, less fearful about it.

“People here understand the range of cyber threats that can be posed. We have noticed that strong security is taken more seriously in Southeast Asia than in countries in some other regions,” he explains.

“This combination of having an accepting and dynamic population that demands convenience but also understands security makes this region a very exciting market for us. There is a lot of evolution going on in the region. In Malaysia, for example, there have been changes with eKYC, something in which other parts of the world — including certain European countries — are a long way behind.

“We are putting a lot of effort there now. It’s a mobile first market, which means convenience is very important.”

The challenge now is to explain to people how this technology is safe to use. Bud says: “It’s a legitimate question, and people need to learn the difference between facial recognition and facial verification, as the latter requires consent. All we need to do is keep explaining.”

Meanwhile, Wise AI’s Lim shares that the rapid digitalisation seen in the country because of Covid-19 made education efforts easier. The company did not need to put in much work to educate people about the importance of facial recognition technology and Internet of Things (IoT).

However, there is room for improvement on the uses of this technology. According to an SME Corp survey done in 2018, 35% of companies use tech such as IoT, mainly for security and surveillance as well as fleet management. Meanwhile, about 45% of companies use cloud services, driven by online storage demand such as Dropbox and Google Drive.

“In terms of facial recognition technology, the most common application will be attendance. We still have some room for improvement on this front,” he says.

“If we really drill down into why this is happening and why we are always seeing facial recognition used for attendance, the root problem is the business model. If all the application and IT companies were to integrate facial recognition into their products, the first thing they would need to figure out is how to charge customers.

“Facial recognition is just a tool to obtain results through analytics and not the result itself. So, people might be hesitant with that as well.”