UIDAI's Plan To Deploy Facial Recognition For Aadhaar Verification Is A Horrible Idea
18 January, 2018
The Unique Identification Authority of India (UIDAI) on Monday made a somewhat troubling announcement that it plans to soon roll out face identification as part of additional security for Aadhaar verification.
The feature is expected to drop sometime before July, supposedly to make it easier for people unable to authenticate via fingerprint or iris scan. So, why is that a bad idea you ask? Well, there are a few things to consider.
Firstly, it seems face recognition will only be used in “fusion mode”, meaning it’ll only be acceptable alongside one of the other existing authentication methods - fingerprint, iris scan, or OTP. “The UIDAI has decided to enable face authentication in fusion mode on registered devices by July 1, 2018 so that people facing difficulty in other biometric authentication (fingerprint and iris) could easily authenticate,” the Aadhaar authority said in a statement. “The face authentication feature will provide an additional option for all residents to have inclusive authentication. Besides, the feature will also be allowed on a need basis.”
That’s great, two-factor security is always better. The problem is that UIDAI has no intention of mapping people’s faces for this facial recognition tool. According to it, there’s no need to capture any additional reference data as user’s photos are already stored on its Central Identities Data Repository (CIDR). That’s a terrible idea.
Consider why facial recognition hadn’t become a major selling point in smartphones until perhaps the iPhone X. That’s because pre-existing facial recognition technology using regular cameras was rudimentary and easily beaten by holding up a photo to the camera. That goes doubly when the reference for the scan isn’t a 3D map of a person’s face, but instead a 2D photograph. How many of you really believe a camera would match you to the crappy, or old, photo on your Aadhaar card? The spirit of the new feature may be right, but the implementation plans are ridden with loopholes.
Of course, there are certain limitations to beating a system like this. Say someone tries to authenticate a transaction using your Aadhaar card details. If they're holding up a photo to a camera there (instead of your actual face), you know a watching supervisor is going to catch them, realizing that they are trying to use an Aadhar that doesn't belong to them. Unless of course, they have an accomplice there, in which case they pay them a little something and they can do whatever they like. We’ve already seen that happen before.
Add to that, the fact that it’s pretty easy to steal a person’s cell phone - likely the only one they’ll have on them and which is probably their registered Aadhar phone number as well. Poof, they now have your OTP as well. Right now, having your smartphone and therefore your OTPs stolen is still a possibility, but you're likely going to use your fingerprint as biometric identification anyway. A thief can't steal that. But what about when the more convenient face identification is introduced, except you don't realise it doesn't have the security that should accompany it?
In short, all someone has to do is steal your smartphone. They now have photos from your album or social media account, access to the registered number for OTPs, and therefore your bank accounts. Unless you have a password on your device, of course. Ironic that a four-digit PIN may be more secure than your entire life stored in the country’s citizen database.