top of page

Will Facial Recognition Bring the End of CAPTCHA?

By now, you’ve probably seen that viral image of a Chinese policewoman wearing a pair of high tech glasses. You know, this one.

Police officers in Zhengzhou, the capital of Henan province, are testing out new smart glasses as a way to identify potential suspects. The glasses capture facial data which is sent to an internal criminal database for comparison. So far, over 30 people have been arrested due to positive matches, thanks to the smart glasses’ somewhat unnerving accuracy.

In the not-too-distant past, this kind of tech was merely the stuff of science fiction. But facial recognition technology is gaining traction like never before, with advancements in A.I. and machine learning leading the charge. And now, some argue that facial recognition could replace something we all love to hate: CAPTCHA tests.

Built on Biometrics...

To see how facial recognition might take traditional CAPTCHA’s place, we first need to understand how the technology works.

Facial recognition stems from biometrics, a form of technology that helps identify people based on physical characteristics or behavior. Voice recognition, fingerprint matching, and iris scanning all fall under the biometrics umbrella.

Let’s pretend you’re trying to unlock your smartphone via facial authentication. To properly identify you, the facial recognition software needs to detect certain features on your face. The features, called nodal points, may include the distance between your eyes, your nose length, your cheekbone shape, and your jaw width.

Based on images captured by your smartphone’s camera, the software analyzes the distance between the nodal points and creates a map of your face. Known as a faceprint, the map looks like a complicated connect-the-dot puzzle. The software compares the faceprint with others already in its database, looking for a positive ID.  

In most cases, if the software finds a match, it’ll unlock your phone. If not, it might prompt you to do something else to prove you’re you, like entering a unique password or PIN number.

Lots of services have already replaced traditional CAPTCHA tests with facial authentication to prove that users are human, not bots. Several banks, including Chase and USAA, let users sign into their mobile accounts with a selfie. Apple Pay now supports facial authenticated payments for iPhone X owners.

...But Not Without Problems

At first glance, facial recognition authentication seems pretty foolproof. Smiling for a camera is a lot easier than typing in long passwords or trying to read blurry, warped text. And since (mostly) everyone has unique facial features, it seems the chances of someone, let alone a bot, hacking into accounts or making purchases are slim.

Unfortunately, that isn’t quite the case. Facial recognition services can be tricked using a number of unconventional but effective methods. For one, you can defeat the weakest facial authentication systems simply by holding up a victim’s photo to the camera.

You could also put on glasses and impersonate someone else. In 2016, a team at Carnegie Mellon found that facial recognition software “learns” by analyzing patterns of pixels based on data collected from faceprints. So, to trick the software, they printed different patterns on the glasses’ frames to make the software "see” specific people.

If you’re feeling extra ambitious, you can even “steal” someone’s face completely. Researchers from Stanford, Max Planck, and Erlangen-Nuremberg created a system called Face2Face that manipulates existing video in real-time, letting users control the facial expressions of a person in the target video. See this in action in the clip below:

Finding Solutions

Even though people found methods to fake out facial authentication systems, others created ways to strengthen them. A Georgia Institute of Technology research team developed what they call rtCaptcha (Real Time CAPTCHA), a system that pairs facial recognition with encoded CAPTCHA puzzles.

Strong facial authentication tests ask users to blink or smile to prove they’re actually real (and not a photo, as mentioned above). But software like Face2Face can spoof the required physical actions, thwarting the authentication system.

rtCaptcha works to prevent that from happening. Instead of prompting users to blink, rtCaptcha presents a CAPTCHA puzzle for them to read out loud. So, now not only would attackers need to present a face, they’d also have to answer a question.

In case that wasn’t enough, rtCaptcha adds another layer on top of that. Users only have a few seconds to answer. Hypothetically, the time is too short for A.I. and human attackers working through software to both analyze the CAPTCHA puzzle and generate the correct response.

Although rtCaptcha is in its early stages, it offers a valid solution for making existing facial authentication systems more secure.

Facing the Future

Despite its current limitations and security flaws, facial recognition looks poised to overshadow traditional CAPTCHA tests, especially as the Internet of Things and other devices adopt the technology. And until the technology can be completely secured, expect old school methods like CAPTCHA to stick around for a little while longer.

This post originally appeared on Anura.

bottom of page