Facial Authentication: Wicket’s privacy-first approach to biometrics

By Tamara Camacho, Wicket

Facial biometrics are at the forefront of many conversations regarding the ethical use of the technology and associated personal data, and its implications for end users. Limited to niches such as law enforcement and travel for years, the global pandemic saw the accelerated adoption of Facial Recognition (FR) and other touchless solutions to minimize unnecessary contact and allow industries to operate safely. Today, FR is being used for myriad purposes by governments and private businesses as organizations and consumers grow to appreciate the technology’s speed, efficiency, and utility.

As with many other groundbreaking technologies, legitimate ethical concerns arise surrounding the use of FR, such as how facial images are captured, stored, and used. The majority of FR systems are sensitively implemented; however, some violate social expectations (and sometimes even legalities) around personal privacy, with the worst abuses appearing in the headlines.

That said, the term “Facial Recognition” doesn’t effectively describe the scope of Wicket’s solutions, nor their applications. Rather, FR encompasses the broadest possible descriptor of the biometric technologies that identify individuals using their faces. Compounding the confusion, “Facial Recognition” is often used as shorthand for surveillance implementations that use photos of “persons of interest” to track them and potentially deny them access to secure facilities and other restricted areas.

Facial biometrics are commonly used in one of two ways. The first is the surveillance implementation outlined above; the second is one that many of us use daily: face verification to identify individual users for personal authentication. Wicket implements facial technologies in yet a third way, maximizing value and minimizing user concerns. In the second part of this article, we will explain these three operational methods and their similarities and differences.

‘Recognition’ vs. ‘verification,’ an important distinction

Simply speaking, these words describe how the basic biometric technology is used at a process level.

Facial Recognition often refers to the process of taking one human face (whether the source is a live video feed, recorded footage, or a single photo) and matching it against a set of faces that are pre-registered within a database.

Typically, an FR implementation uses a camera to capture footage of individual faces. Once captured, the system extracts face images from the footage and runs those face images against an extensive database of faces—often referred to as a “watchlist.” The use cases for this are predictable from the description alone: surveillance and security, finding individuals in a crowd, whether for security reasons (such as to protect an establishment or individual) or for management reasons (to ensure a particular guest receives five-star treatment). This technology also has a place in supporting investigatory work.

On the other hand, Facial Verification is used to validate the identity of an individual trying to access a service such as a bank account or to obtain access to a digital space such as their phone.

Facial Verification requires an original template of the person (typically, a selfie) as a baseline with which to compare when that person wants access. For example, if you decide to set up your face to access your phone, you can enroll a template of your face, which your phone can later use to determine whether any person trying to access your phone is ‘you’ or ‘not you.’

In short, Facial Verification does not look through an extensive database of images—it checks against a single image (or, at most, a few of them), and anything that doesn’t match is rejected. This has incredible value for security applications, and the use cases are endless: fraud prevention, know your customer (KYC), and identity protection, among others. However, by its nature, Facial Verification is a poor choice for cases where hundreds or thousands of people need to be recognized quickly—for example, to quickly gain access to an area such as a stadium or conference.

While surveillance-style facial recognition and self-service facial verification are the two most common uses of the technology, the difference is stark, especially where user privacy is concerned.

Facial Authentication: The best of both worlds

Wicket’s application of facial biometric technology, which we term “Facial Authentication” (FA), allows for a happy midpoint that enables the desired functionalities while maintaining the highest standards of user privacy protection.

At Wicket, our facial biometrics technology matches individuals presenting at one of our edge sensors against a limited set of user-provided template images. Mathematical representations of the user-provided images (the “templates”) live in a limited database containing only the minimum number of templates required for the use case. Examples would be ‘people expected in the office’ or ‘people who have tickets to the game on the 23rd of the month.’ Anyone who isn’t on that list cannot gain access because their face templates are simply not present to be matched against.

This is somewhat similar to traditional FR—people’s faces are scanned and potentially matched to individuals on a list. However, in a surveillance model, the list is often extensive and built without the users’ consent, with pictures gathered from online resources, taken by security cameras, or candid snapshots. This lower image quality can impact the ability of a biometric system to match people to photos correctly. Of more significant concern, individuals often have no way of identifying if their photos are in a given database, let alone removing themselves (or even requesting removal) from these lists.

Like facial verification, Wicket’s operating processes require users to submit their own photos. We call this an opt-in-only model, meaning that people can only use our technology if they choose to, freely giving their consent. Furthermore, this consent can be retracted at any time at the individual user’s request, at which point the user’s template and images will be removed from the system, ensuring appropriate privacy protection.

The opt-in-only model also has functional benefits: it reduces the risk of false positives and false negatives. The user is vested in the system’s performance, so when they submit their selfie, the reference image tends to be of higher quality.

Additionally, to ensure that Wicket’s systems are only used by consenting users, the sensors are purposefully designed with a restricted capture zone. This ensures that users must deliberately present themselves to a sensor in order to be identified—increasing data privacy and, again, improving system performance.

Wicket’s Facial Authentication has a variety of high-value use cases: any friction point that requires additional confirmation—tearing tickets, processing payments, expediting orders, streamlining access control, and more—can benefit.

Furthermore, these benefits can apply cross-industry. For example, FA can improve the guest experience at live events, simplify transaction processing at retail locations, streamline guest management in a residential building or employee access management in a commercial building, secure a sensitive area using two-factor authentication, or ensure VIPs (who have opted in!) receive the best, most attentive service.

Ultimately, calling all facial biometric technologies by the same name is an easy route, as the differences are subtle and nuanced. However, using more conscientious terminology allows for clearer communication with end users, giving technology vendors a better grasp on how to serve them best.

This distinction is also crucial for Wicket. It not only underpins our privacy-first model but also tells our customers and those who trust us with their sensitive information: We see you, we hear your concerns, and we’ve addressed them through our system design and implementation. Something as simple as using accurate, thoughtful terminology may seem relatively minor—but it can make a major difference.

The content in this post was provided by the sponsor, and did not involve any reporting or writing from Stadium Tech Report editorial staff. For more information on our sponsor post program, please see our explanatory column.