Microsoft has added facial matching to its Enter Service ID Verified, which allows organizations to create and issue verifiable credentials to validate claims such as employment, education, certifications, and residency. The new Face Check feature is available as a free public preview version, with an as-yet-unpriced commercial version expected later this year.
Face Check uses Microsoft’s Azure AI Face API to match a user’s real-time selfie, confirmed as authentic via “liveness detection”, captured by the Microsoft Authenticator app with an existing trusted identity document such as an ID , a driving license or a passport. Microsoft Authenticator’s Verified ID feature generates a trust score and sends only that to the party who requested a Face Check.
Preview customers use Face Check with ID Verified to reduce the risks of account takeover and identity theft for employees, vendors and business guests. Help desk and cybersecurity operations provider BEMO, an early tester of Face Check, uses the feature to verify the identity of an employee who issues a request, according to Microsoft.
“Face Check using Entra Verified ID is a new verification feature that can be used to verify that the person performing the authentication is indeed the rightful owner of the authentication credentials, such as passkey or FIDO2, MFA or even username and password “, says Ankur Patel, Microsoft Product Manager for Entra Verified ID. The company claims Face Check is more reliable than self-certification for accessing sensitive data or authentication to create new accounts.
Azure AD extension with ID verified
The verified ID was created with a standards-based interoperability profile in partnership with IBM, Workday, Ping and Mattr “so anyone can create compatible digital wallets,” Patel notes. Originally described by Patel as a standards-based decentralized identity (DID) systemVerified ID is intended to address limitations of Azure AD services by allowing the use of credentials external to your organization.
Gartner predicts that integration with identity verification (IDV) and access management platforms will become a standard by 2027 for onboarding, credentialing and recovery. Additionally, according to Gartner, IDV could reduce account takeover attacks by 75%.
“All access management (AM) vendors, including Microsoft and its direct competitors, offer support for integration with third-party IDV tools,” says Henrique Teixeira, senior research director at Gartner. “However, only a minority offer their own IDV solution and even fewer combine it with an off-the-shelf biometric authentication solution.”
Facial recognition raises privacy concerns
While Microsoft promises a more user-friendly and secure approach to digital identity verification with Face Check and Verified ID, critics of facial recognition have long decried the potential misuse of the technology. Microsoft’s Patel described Face Check as “a privacy-preserving face matching feature for high-security verification” and said privacy concerns were taken into account.
First, the company emphasized that neither Microsoft Authenticator, Verified ID, nor Azure AI services store or retain any data or images.
When you use Face Check, “There’s a 91% chance it’s me and not someone else. So even if you could take my phone, you couldn’t use it,” Patel says. He adds that, statistically, there was a one in a billion chance that a match could be an identity theft attack in a 5-minute time frame.
Will 91% be trustworthy enough to satisfy the concerns of companies providing access to sensitive data? According to Patel, organizations can decide whether risk is appropriate for specific types of business decisions and configure the acceptance score accordingly.
Gartner’s Teixeira predicts that preventing attack risks overshadows privacy concerns. “I believe the additional benefits of such solutions in reducing the likelihood of a breach will outweigh the privacy concerns associated with the technology,” she says.
The addition of Face Check to Verified ID aims to increase trust in the credentials presented by users. Patel says Microsoft will soon reveal plans to extend its Face API model to verify a broader range of identity attributes, such as verified employment history and legal entity verification, through partnerships with Dun & Bradstreet (DNB) and LexisNexis.
Great interest in facial recognition
Despite calls for regulation, facial recognition is one of the most popular forms of authentication. When the Biometrics Institute asked what form of biometrics organizations were likely to implement, its Industry Survey 2023 found that 45% of respondents plan to increase the use of facial recognition. In second place is multimodal biometrics at 16%, followed by voice at 9%, iris at 7% and behavior at 6%.
“Microsoft’s approach is extremely useful for broader adoption of verified identities and is expected to benefit the entire industry,” says Martin Kuppinger, founder and principal analyst at KuppingerCole Analysts. “This will help reach critical mass.”
However, Kuppinger says mass adoption won’t happen in the short term. “Challenges regarding regulatory requirements may arise for certain scenarios, but fundamentally the approach helps strengthen the cybersecurity posture and privacy concerns are addressed in a well-thought-out manner, avoiding centralized sharing or storage of biometric information,” he says she.
Cost will also be a factor. “Organizations will certainly be interested in understanding the yet-to-be-announced licensing model before making strategic decisions,” adds Kuppinger.