Recognition vs. Authentication
This Reg response to this "research" is correct. 2D facial recognition - which is the basis on which this was done - is not very sophisticated, and should NOT be used for ANY high-risk security scenario. Not only was this DB set woefully inadequate, there is no possible way to gather enough 2D signal (face data) to consistently verify who an individual is in large datasets. Generally, with today's level of facial recognition performance, anything over 100,000 will generate mistakes. Face recognition should ONLY be used for convenience purposes, like opening a phone or buying coffee. Period.
What is required for user AUTHENTICATION is 3D data acquisition and robust liveness detection (Check out liveness.com). 3D signal can generate up to 100 times more data (depending on the method), allowing, clearly, for much more certainty. But the first hurdle a user MUST pass is the liveness test. The system needs to determine if what the sensor sees is actually alive, and not some non-human artifact, like a mask, 3D head, photo, or video (including deepfakes). Once given a thumbs-up, matching what that sensor (camera) sees with what it acquired during onboarding needs to be very accurate. 3D-to-3D matching should be more than 1-in-10M to be feasible in large DB populations.
This research attempt was amateurish at best, and socially regressive at worst, specially at a time when we're all spending much more time accessing valuable digital assets daily. There are systems in place TODAY that are far beyond the capabilities of what and how this group tested, and are consistently securing hundreds-of-millions of digital accounts already.