Source: Tero Vesalainen via Alamy Stock Photo
Microsoft has added facial matching to its Entra Verified ID service, which lets organizations create and issue verifiable credentials to validate claims such as employment, education, certifications, and residence. The new Face Check feature is available as a free public preview release, with a yet-unpriced commercial release slated for later this year.
Face Check uses Microsoft's Azure AI Face API to match a user's real-time selfie — confirmed to be authentic via "liveness detection" — captured by the Microsoft Authenticator app with an existing trusted identity document like an employment ID, driver's license, or passport. Microsoft Authenticator's Verified ID feature generates a confidence score and sends only that to the party who requested a Face Check.
Early preview customers are using Face Check with Verified ID to reduce the risks of account takeover and impersonation for employees, vendors, and business guests. Help desk and cybersecurity operations provider BEMO, an early Face Check tester, uses the feature to verify the identity of an employee issuing a request, according to Microsoft.
"Face Check using Entra Verified ID is a new verification capability that can be used to verify the person authenticating is indeed the rightful owner of authentication credentials, such as passkeys, or FIDO2, MFA, or even username and password," says Ankur Patel, Microsoft's head of product for Entra Verified ID. The company claims Face Check is more reliable than self-attestation for accessing sensitive data or authentication to create new accounts.
Extending Azure AD with Verified ID
Verified ID was built with a standards-based interop profile in partnership with IBM, Workday, Ping, and Mattr "so anyone can build compatible digital wallets," Patel notes. Originally described by Patel as a standards-based decentralized identity (DID) system, Verified ID is intended to address the limitations of Azure AD services by enabling the use of credentials beyond the organization.
Gartner forecasts that integration with identity verification (IDV) and access management platforms will become standard by 2027 for onboarding, credentialing, and recovery. Further, IDV could reduce account takeover attacks by 75%, according to Gartner.
"All access management (AM) vendors, including Microsoft and its direct competitors, offer the support to integrate with third-party IDV tools," says Gartner senior research director Henrique Teixeira. "However, only a minority offer their own IDV solution, and even fewer are combining it with a biometric authentication solution out-of-the box."
Facial Recognition Raises Privacy Concerns
While Microsoft promises a more user-friendly and secure approach to digital identity verification with Face Check and Verified ID, critics of facial recognition have long decried the potential for misusing the technology. Microsoft's Patel described Face Check as "a privacy-respecting facial matching feature for high-assurance verifications" and averred that privacy concerns were taken into account.
For one, the company emphasized that neither Microsoft Authenticator, Verified ID, nor the Azure AI services store or retain any of the data or images.
When using Face Check, "There's a 91% chance that it's me and not somebody else. So even if you got ahold of my phone, you couldn't use it," Patel says. He adds that statistically, there was a one in a billion chance that a match could be an impersonation attack within a 5-minute time window.
Will 91% be reliable enough to satisfy concerns by enterprises providing access to sensitive data? Organizations can decide if the risk is appropriate for specific types of business decisions and configure the acceptance score accordingly, according to Patel.
Gartner's Teixeira predicts that preventing risks of attacks overshadows privacy issues. "I believe that the additional benefits of such solutions in reducing the probability of a breach will outweigh the privacy concerns associated with the technology," he says.
The addition of Face Check to Verified ID aims to boost confidence in the credentials users present. Patel says that Microsoft will soon reveal plans to extend its Face API pattern to verify a broader array of identity attributes, such as verified work history and legal entity verification, through partnerships with Dun & Bradstreet (DNB) and LexisNexis.
Lots of Interest in Facial Recognition
Despite calls for regulation, facial recognition is one of the more popular forms of authentication. When the Biometrics Institute asked which form of biometrics organizations are likely to implement, its 2023 Industry Survey found that 45% of those surveyed plan to increase their use of facial recognition. Coming in second was multimodal biometrics at 16%, followed by voice at 9%, iris at 7%, and behavioral at 6%.
"The Microsoft approach is highly valuable for a broader scale of adoption of verified identities and is expected to benefit the entire industry," KuppingerCole Analysts founder and principal analyst Martin Kuppinger says. "This will help in achieving critical mass."
Nevertheless, Kuppinger says mass adoption won't happen in the short term. "Challenges may arise regarding regulatory requirements for certain scenarios, but basically, the approach helps in strengthening the cybersecurity posture and privacy issues are addressed in a well-thought-out manner, avoiding sharing or centrally storing biometric information," he says.
Cost will also be a factor. "Organizations surely will be keen understanding the yet-to-be-announced licensing model before making strategic decisions," Kuppinger adds.