CSLATEST

facial authentication
FACE OFF!
WHEN IT COMES TO DEVICE-BASED AND SERVER-BASED FACIAL
AUTHENTICATION, WHICH, IF EITHER, IS THE MORE SECURE?
Device-based facial authentication
and server-based facial authentication
are two methods that are
commonly used for authenticating users
on mobile devices. While both methods
serve the same purpose of verifying
a user's identity, they differ in their
approach and functionality.
"Device-based facial authentication is a
method that relies on the device's builtin
hardware and software to capture
and analyse the user's facial features,"
says Majid Munir, senior cybersecurity
consultant of Celestix Networks, the
digital identity and secure access
company. "When a user sets up facial
authentication on their device, the
device creates a unique facial template
of the user, which is stored locally on
the device. This template is then used
for subsequent authentication attempts.
With device-based facial authentication,
the entire authentication process takes
place on the device itself, without
needing external servers or networks."
One of the main advantages of devicebased
facial authentication is its exclusivity
to the device, he adds. "Since the
facial template is stored locally on the
device, external parties cannot access
or tamper with it. This enhances the
security of the authentication process,
as there is no reliance on external
servers or networks that may be
vulnerable to cyberattacks."
However, device-based facial authentication
also has its limitations. "First,
since the authentication process is
exclusive to the device, users may face
difficulties, if they need to authenticate
using a different device. For example,
if a user loses their device or upgrades
to a new one, they will need to go
through the registration process again
to set up facial authentication on the
new device. This can be inconvenient
and time-consuming for users.
"Another limitation of device-based
facial authentication is that servers
would not know the user's true identity.
Since the authentication process occurs
solely on the device, the server does not
receive any information about the user's
facial features or identity. This can pose
challenges in scenarios where serverside
authentication is required, such
as accessing certain online services or
platforms."
On the other hand, adds Munir, serverbased
facial authentication addresses
these limitations by relying on external
servers to store and process facial
data. With this method, the facial data
captured by the device is transformed
into a Private Key, encrypted and
securely stored on the server-side.
The server then uses this Private Key
to authenticate the user in subsequent
authentication attempts.
"One of the standout features of
server-based facial authentication, such
as the V-Key Smart authenticator, is its
enhanced security and user experience.
With V-Key facial authentication, the
facial data is securely encrypted and
stored in the V-Key cloud. This ensures
the user's facial biometric information is
protected from unauthorised access or
tampering. Furthermore, users do not
need to go through the registration
Majid Munir, Celestix Networks: both
device-based and server-based facial
authentication have pros and cons.
process again, if they change their
devices or lose their device. The
encrypted facial data is already stored
in the V-Key cloud, allowing users to
authenticate with their face again to
regain access simply."
Ultimately, both device-based and
server-based facial authentication have
pros and cons. "Device-based facial
authentication provides a secure and
exclusive authentication process, while
server-based facial authentication offers
enhanced security and a seamless user
experience. The choice between the
two methods finally depends on the
specific needs and requirements of
the users, and the applications they
are accessing."
www.computingsecurity.co.uk @CSMagAndAwards May/June 2024 computing security
21