Will Facial Recognition Bring the End of CAPTCHA?

Alana L. Domingo - April 26, 2018

By now, you’ve probably seen that viral image of a Chinese policewoman wearing a pair of high tech glasses. You know, this one:

Embed from Getty Images 

Police officers in Zhengzhou, the capital of Henan province, are testing out new smart glasses as a way to identify potential suspects. The glasses capture facial data which is sent to an internal criminal database for comparison. So far, over 30 people have been arrested due to positive matches, thanks to the smart glasses’ somewhat unnerving accuracy.

Related Post: How A.I. and Machine Learning Can Combat Fraud

In the not-too-distant past, this kind of tech was merely the stuff of science fiction. But facial recognition technology is gaining traction like never before, with advancements in A.I. and machine learning leading the charge. And now, some argue that facial recognition could replace something we all love to hate: CAPTCHA tests.

Built on Biometrics...

To see how facial recognition might take traditional CAPTCHA’s place, we first need to understand how the technology works.

Facial recognition stems from biometrics, a form of technology that helps identify people based on physical characteristics or behavior. Voice recognition, fingerprint matching, and iris scanning all fall under the biometrics umbrella.

Let’s pretend you’re trying to unlock your smartphone via facial authentication. To properly identify you, the facial recognition software needs to detect certain features on your face. The features, called nodal points, may include the distance between your eyes, your nose length, your cheekbone shape, and your jaw width.

Related Post: Are You Being Ghosted by a Bot?

Based on images captured by your smartphone’s camera, the software analyzes the distance between the nodal points and creates a map of your face. Known as a faceprint, the map looks like a complicated connect-the-dot puzzle. The software compares the faceprint with others already in its database, looking for a positive ID.  

In most cases, if the software finds a match, it’ll unlock your phone. If not, it might prompt you to do something else to prove you’re you, like entering a unique password or PIN number.

w_g_Science_face_recognition

Source: Live Mint

Lots of services have already replaced traditional CAPTCHA tests with facial authentication to prove that users are human, not bots. Several banks, including Chase and USAA, let users sign into their mobile accounts with a selfie. Apple Pay now supports facial authenticated payments for iPhone X owners.

...But Not Without Problems

At first glance, facial recognition authentication seems pretty foolproof. Smiling for a camera is a lot easier than typing in long passwords or trying to read blurry, warped text. And since (mostly) everyone has unique facial features, it seems the chances of someone, let alone a bot, hacking into accounts or making purchases are slim.

Unfortunately, that isn’t quite the case. Facial recognition services can be tricked using a number of unconventional but effective methods. For one, you can defeat the weakest facial authentication systems simply by holding up a victim’s photo to the camera.

You could also put on glasses and impersonate someone else. In 2016, a team at Carnegie Mellon found that facial recognition software “learns” by analyzing patterns of pixels based on data collected from faceprints. So, to trick the software, they printed different patterns on the glasses’ frames to make the software "see” specific people.

Related Post: They're Getting Smarter: A.I. Is Beating CAPTCHA Tests

If you’re feeling extra ambitious, you can even “steal” someone’s face completely. Researchers from Stanford, Max Planck, and Erlangen-Nuremberg created a system called Face2Face that manipulates existing video in real-time, letting users control the facial expressions of a person in the target video. See this in action in the clip below:

 

Source: YouTube

Finding Solutions

Even though people found methods to fake out facial authentication systems, others created ways to strengthen them. A Georgia Institute of Technology research team developed what they call rtCaptcha (Real Time CAPTCHA), a system that pairs facial recognition with encoded CAPTCHA puzzles.

Strong facial authentication tests ask users to blink or smile to prove they’re actually real (and not a photo, as mentioned above). But software like Face2Face can spoof the required physical actions, thwarting the authentication system.

rtCaptcha works to prevent that from happening. Instead of prompting users to blink, rtCaptcha presents a CAPTCHA puzzle for them to read out loud. So, now not only would attackers need to present a face, they’d also have to answer a question.

rtcaptcha

Source: rtCaptcha: A Real-Time CAPTCHA Based Liveness Detection System

In case that wasn’t enough, rtCaptcha adds another layer on top of that. Users only have a few seconds to answer. Hypothetically, the time is too short for A.I. and human attackers working through software to both analyze the CAPTCHA puzzle and generate the correct response.

Although rtCaptcha is in its early stages, it offers a valid solution for making existing facial authentication systems more secure.

Facing the Future

Despite its current limitations and security flaws, facial recognition looks poised to overshadow traditional CAPTCHA tests, especially as the Internet of Things and other devices adopt the technology. And until the technology can be completely secured, expect old school methods like CAPTCHA to stick around for a little while longer.

 

New Call-to-action

Alana L. Domingo

Alana Domingo is the Junior Content Writer for eZanga and its ad fraud management platform, Anura. Born in Philadelphia but raised in Delaware, she attended Temple University and earned a BA in Communication Studies, concentrating on contemporary media environments. When she's not working, you can usually find her playing The Sims, reading comic books, and taking care of her three pet frogs.