The use of face authentication for Aadhaar is unlikely to work in the way that Unique Identification Authority of India (UIDAI) has envisioned. This sentiment has been shared by noted experts in the domain, who believe that implementing face ID (as part of the two-factor authentication) has come ‘too little too late.’
While they accept that implementing the two-factor authentication (2FA) is the right move, they’re not sure how the UIDAI will be able to execute it across different parts of the country by 1 July, the day when the feature is supposed to come into the system.
But before we tell you what we think is going to happen, let’s take a look at what the official circular from UIDAI has to say about the matter and why this feature is being added.
Also Read: Chehra Hai Ya Aadhaar ID? UIDAI Rolls Out Face Authentication
While most of the residents are able to authenticate using fingerprint or iris authentications, some residents face difficulty in successfully using biometric authentication using either of them. Face authentication (FA) will come as an additional choice to create inclusive authentication for residents having difficulty with finger/iris IDs.UIDAI circular
And how is the UIDAI going to make this feature work? According to Ankush Johar of Infosec Ventures, an IT security company, UIDAIs face ID feature is basically going to see if the likeness of the original image is the same as the image that was taken while registering for the Aadhaar card.
Also Read: Aadhaar’s Dirty Secret Is Out, Anyone Can Be Added as a Data Admin
The matching of photo is not going to happen on the device, it will only capture. The photo will be sent to a central server, just like how it happens right now with Aadhaar numbers.
Let’s put its use-case into a real-life example now. A person heads to collect his monthly ration, where the vendor is likely to have an entry-level phone/tablet.
He will take a picture with that, which will check with the server where your original picture resides to see if there is a likeness of that image.
But that’s where the big concern lies.
To do the authentication you don’t need a high-end device, but the larger issue is the origin/source (required to verify), is compromised. The image stored in the database is not high-resolution which could result in failure to authenticate the personAnkush Johar, Director, Infosec Ventures
This situation is bound to arise, especially when UIDAI plans to use the single face photo which is already there in the database.
UIDAI’s Face ID Different From Apple’s Tech
Ever since the announcement was made, many people started co-relating the face authentication feature with Apple’s iPhone X. But sadly, Ankush is confident that UIDAI’s tech is nowhere close to how Apple’s face ID works.
In addition to that, he points out the big difference between UIDAI and Apple’s implementation of the feature.
Given that Apple invested a big sum to develop the infrared-based specialised hardware to capture a 3D image of a person’s face, it’s dicey how it would compare to the 3-5 MP cameras used at the time of enrolment.Ankush Johar, Director, Infosec Ventures
Every two to three years, our face changes. While Apple lets users update their face ID on the iPhone X, UIDAI will have a tough ask updating its photo database on a regular basis.Ankush Johar, Director, Infosec Ventures
Face ID for Aadhaar – Will it Work?
While Ankush is pleased that the 2FA has been finally put into place, but in hindsight they feel these measures are being taken without actually considering its viability, especially with respect to executing them.
By bringing FA in fusion, UIDAI is saying we’re not going to rely on this completely. Also, they should have brought this long back, not when 1.9 billion people have already enrolled for AadhaarAnkush Johar, Director, Infosec Ventures
India isn’t going to be the first country to implement face authentication, but using 2FA could reduce the instances of mass breaches, as accessing data of millions of users simultaneously becomes harder to execute.
With 2FA in place, UIDAI is likely reduce negate instances of mass data breaches in the coming future.
But their appreciation comes with a word of caution, and the recent security mishaps compel them into mentioning that.
The photo is essentially 2D in nature, captured in low-resolution. Anybody could use your picture and the likeness will be 100 percent.Source to The Quint
So, there is a high possibility that UIDAI might have to take the source picture of the people one more time, making it mandatory for those who aren’t able to use fingerprint or iris IDs right now.
All this has made them believe that bringing Face ID into the equation, is not going to make any qualitative difference and the number of people using it is likely to be miniscule.
(We Indians have much to talk about these days. But what would you tell India if you had the chance? Pick up the phone and write or record your Letter To India. Don’t be silent, tell her how you feel. Mail us your letter at lettertoindia@thequint.com. We’ll make sure India gets your message)
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)