Face authentication

About face authentication

Our face authentication feature is an authentication method that uses server-side biometrics.

Server-side biometrics are authentication methods that are independent of the device. This means that they can offer cross-device compatibility and centralised management.

The face authentication method performs a two-second facial scan with 3D Liveness Check and 3D Face Matching on each authentication. This is done within a mobile app and verified on the server, preventing unauthorised access to an account.

What is a 3D Liveness Check?

A Liveness Check (also referred to as liveness detection) means that we will verify that it is a physical human in front of the device. We ensure that it is not a photo, deepfake video, or similar spoofing tool.

You can read more about biometric liveness detection on the liveness.com web page.

What is 3D Face Matching?

A 3D Face Matching means that we will verify that the human performing the authentication is the same as the one who activated face authentication initially. To do this:

1. At the time of authentication, a 3D FaceMap is collected together with the liveness data.
2. We match this 3D FaceMap to the 3D FaceMap that we collected during the activation of this authentication method.

Example use cases

• You want to implement additional fraud prevention for high-risk transactions, by verifying that the end-user performing the transaction is a real person and the same as the one who activated.
• You want your end-users to be able to recover with biometric authentication on a new device.
• You want your end-users to be able to reset their authentication credentials.
• You want to have multiple end-users performing biometric authentications on the same device.

What is the difference between Face ID and face authentication?

Face ID is a type of native biometrics, whereas face authentication is a type of server-side biometrics. You can read about what these mean in the sections below:

Native biometrics

Native biometrics are authentication methods provided by the device's operating system, executed and validated directly on the device for quick and secure authentication using the device's hardware and software.

Some examples of native biometrics are Apple Face ID, Apple Touch ID and Android BiometricPrompt.

Our recommendation

Native biometrics are fast, secure, and offer a great user experience. We recommend using native biometrics whenever possible.

Server-side biometrics

Server-side biometrics are authentication methods that are independent of the device.

These methods offer cross-device compatibility and centralised management, which means that they can be leveraged in some use cases where native biometrics will not work.

An example of server-side biometrics is our face authentication feature.

When are server-side biometrics a good option?

There are some use cases where native biometrics will not work, or where server-side biometrics can provide a better option. For example:

• When your end-users have invalidated their native biometrics.
• When your end-users want to securely reset their authentication credentials.
• When you want to recover your end-user's account, if:
  • Their device has been lost, broken or stolen.
  • They have deleted your application.
• When multiple end-users want to use biometrics on the same device.
• When the end-user wants to use another device.
• Prevent phishing attacks when your end-users onboard.
• Provide additional fraud prevention for high-risk transactions, such as verifying that the activated end-user is present at the time of the transaction.

How does face authentication work?

As with all other authentication methods, face authentication needs to be activated before end-users can start using it.

Once you have activated face authentication for your end-users, you can use it to:

• Authenticate (see section on this page)
• Perform account recoveries (see section on this page)
• Reset authentication credentials
• Prevent identity fraud

Basic flow for a face authentication

1. A FaceMap is captured on the end-user's device.
2. The captured FaceMap is securely transmitted to our server.
3. The server processes and validates the FaceMap, performing the necessary authentication checks.

How to activate face authentication

To activate face authentication, you first need to register a device for your end-user. Once the user has an active device, you can then add face authentication using our addOrUpdate method in the SDK.

You can learn how to do this in the Add or update sections of our SDK documentation:

Add or update for Android

Learn how to activate a device for face authentication with the Android SDK

Add or update for iOS

Learn how to activate a device for face authentication with the iOS SDK

What does an activation look like?

The following diagram illustrates what it could look like to activate face authentication with MobileID, from the perspective of your end-users.

Diagram showing end-user flow for activating face authentication

Diagram for activation

The following sequence diagram illustrates an activation of face authentication.

Sequence diagram showing activation of face authentication

How to authenticate with face authentication

You can initiate a face authentication by setting FaceAuthentication as the authMethod when you start the authentication operation.

See the Start authentication endpoint in the MobileID API reference documentation for details.

What does an authentication look like?

The following diagram illustrates what it could look like to authenticate with face authentication in MobileID, from the perspective of your end-users.

Diagram showing end-user flow for authentication with face authentication

Diagram for authentication

The following sequence diagram illustrates an authentication with face authentication.

Sequence diagram showing authentication with face authentication

How to recover with face authentication

Our account recovery feature supports server-side face authentication as an authentication method. We recommend this for recovery, as:

• It is more user-friendly, with no recovery code to remember.
• It enhances security by not having a recovery code which could be shared.

To learn about this feature and how to implement it, see our Account recovery feature documentation.

How to configure face authentication

To use our face authentication feature, you need to:

• Configure the mobile SDK.
• Configure the application configuration.

Configure the mobile SDK

Learn how to configure the mobile SDK for face authentication using the SDK guides below:

Configure the Android SDK

Learn how to configure the Android SDK for face authentication

Configure the iOS SDK

Learn how to configure the iOS SDK for face authentication

Configure the application configuration

You do not need to make any changes to the application configuration to use our face authentication feature, as by default:

• Our face authentication feature is enabled for use by the server.
• Server-side face is enabled as an allowed authentication method.

Enable/disable as an allowed authentication method

You can determine whether or not the server-side face authentication method is allowed for use in operations. To do this:

1. Log in to the Signicat Dashboard.
2. Go to Products > MobileID > Application behaviour, then select the Authentication tab.
3. Use the check boxes to enable or disable server-side face as an authentication method.
   Tip

   To disable server-side face in the Allowed authentication methods section, you must first disable it in the Allowed authentication methods when activating new method or changing PIN section.

Try it out

To test our our face authentication feature on a mobile device, you need to add the SDK to your app.

To get access to the SDK, you can contact us by creating a support ticket in the Signicat Dashboard.