Even as the Unique Identification Authority of India (UIDAI) proposes to introduce Virtual ID and face recognition as extra layers of security in Aadhaar cards, along with biometric detail including finger-printing and iris identification, questions have been raised about the efficacy of these fresh moves in protecting the privacy of the individual from unscrupulous elements.
The Supreme Court is currently hearing the issue of the citizen’s liberty being allegedly threatened by the linking of Aadhaar numbers to the individual’s various documents. According to Ankush Johar, Director of Infosec Ventures, which provides infrastructure security solutions to the government and commercial clients, the recent measure taken by the UIDAI to provide facial recognition via images captured from an old 3 to 5 megapixel (MP) camera in most cases may be “too little, too late.” The face recognition mechanism is expected to act as another layer of verification as a “fusion” alongside fingerprint, IRIS and OTP authentication.
Terming the UIDAI’s latest move as a “PR gimmick” to save its own skin in the wake of possible data-leaks, Johar said the face-recognition measure would provide “zero” extra security due to poor resolution cameras used in making Aadhaar cards for 1.2 billion people.
He said although adding an extra later of security is a good initiative for card holders, face recognition is a “bad factor” for authentication. “It might not do much good as not only is it not too difficult to replicate as compared to other biometrics, but also because the major problem lies in the source of the poor images used as the authentication mechanism.”
To make things convenient, UIDAI had commented that it will be using the photo of the card holder captured at the time of Aadhaar enrolment. Facial recognition will give an additional choice for people having trouble with their fingerprints and iris authentication, which is supposed to go live by July this year. This is expected to provide relief to older people whose fingerprints and iris go blurred and unclear due to ageing and diseases.
How secure would facial recognition be as an extra authentication?
In November 2017, a group of cyber security researchers were able to crack iPhone’s facial recognition technology by using a $150 mask. The cyber security firm posted a video on their official blog which showed that they had found a way to hack Face ID by using a composite mask of 3-D printed plastic, silicone make-up, and simple paper cutouts, which in combination tricked an iPhone X into unlocking, he told BusinessLine .
While Apple had developed the infrared-based specialised hardware to capture a 3-D image of a person’s face, it is dicey how it would compare to the 3-5 MP cameras used at the time of enrolment for Aadhaar in India. In other words, facial recognition in Aadhaar cards would be a questionable security measure as an individual’s face, like other body parts, usually undergoes changes, and it can also be manipulated as in the iPhone case.
The photographs captured years ago with an extremely low resolution camera stands little chance given that hackers were able to bypass even the 3-D face model recognition developed by one of the biggest tech pioneers, he argued.
While welcoming the UIDAI move on face recognition, he cautioned that it might have succeeded had the card holders’ images been captured with at least a high-definition camera if not an infrared based 3-D facial recognition system. Such images would have made the Aadhaar card security easier and reliable.
He said the UIDAI can still remedy the situation by “deep diving into the whole issue” and reaching out to the 1.2 billion card holders for updating with latest technologies. Unless it is done, “horrible things” may happen with people’s data.
Similarly, a Virtual ID may not be too much of help as the card holder’s number in many a case had already gone out to those who could misuse it.