The big picture: Selfies are increasingly taking on a surprising new role: verifying your identity online. Some banks and even governments have started mandating live selfie captures during video calls to prove who you are before accessing services. However, giving tech companies your selfie is far from a smart cybersecurity move, as a new report has highlighted.
Multiple security experts and market analysts who spoke to The Register discussed this practice, highlighting just how unsafe it is and advising on ways it can be improved.
The selfie authentication trend has been brewing for years, says Akif Khan, a VP analyst at Gartner who advises organizations on implementing the technology. He told the publication that interest in selfie ID verification has been very high and steadily growing, with an "uptick" recently as the pandemic drove more services online.
Concerns became overt last week when Vietnam made face scans from phone banking apps compulsory for any digital transaction over $400. Vietnamese media voiced skepticism that selfies would improve security. Within days, some apps were already failing the vibe check by accepting simple still photos instead of live selfie videos.
The rise of selfie ID aligns with anti-money laundering (AML) and know-your-customer (KYC) regulations that require identity checks, though the specifics vary globally across jurisdictions and are frequently updated. This creates conflicting requirements when balanced against data privacy regulations in each region.
How companies mishandle selfie data is a problem too, according to Kevin Reed, CISO at Acronis. He told the publication that businesses frequently fail to properly manage and dispose of selfie verification images after use, leaving them exposed to theft if cyber criminals find value in the data trove.
A Resecurity report previously highlighted a Singapore payment provider that had users submit a photo holding their ID next to a handwritten sign to presumably prove liveness. Reed dismissed this technique as only "slightly better" than still selfies since it is still easily editable. Meanwhile, Khan wasn't confident about this technique either, calling it a "stopgap" measure while they work on a proper solution.
A better solution is "liveness" detection technology from third-party vendors integrated into apps and websites.
Liveness check vendors deploy a range of techniques to validate that users are physically present. These include movements during the selfie capture, like expressing emotions or turning the head. Khan noted that these checks are aided by machine learning and can also detect injection attacks from deepfakes. They analyze depth, edges, light reflection, and even signs of blood flow during verification.