Microsoft Adds Face Check to Entra Verified ID

Microsoft has added facial matching to its Entra Verified ID service, which lets organizations create and issue verifiable credentials to validate claims, such as employment, education, certifications, and residence. The new Face Check feature is available as a free public preview release, with a yet-unpriced commercial release slated for later this year.

Face Check uses Microsoft's Azure AI Face API to match a person's real-time selfie — confirmed to be authentic via "liveness detection" — captured by the Microsoft Authenticator app with an existing trusted identity document, such as an employment ID, driver's license, or passport. Microsoft Authenticator's Verified ID feature generates a confidence score and sends it to the party who requested a Face Check.

Early preview customers are using Face Check with Verified ID to reduce the risks of account takeover and impersonation for employees, vendors, and business guests. Help-desk and cybersecurity operations provider BEMO, an early Face Check tester, used the feature to verify the identity of an employee issuing a request, according to Microsoft.

"Face Check using Entra Verified ID is a new verification capability that can be used to verify the person authenticating is indeed the rightful owner of authentication credentials, such as passkeys, or FIDO2, MFA, or even username and password," says Ankur Patel, Microsoft's head of product for Entra Verified ID. The company says Face Check is more reliable than self-attestation for accessing sensitive data or authentication to create new accounts.

Extending Microsoft Entra ID with Verified ID

Verified ID was built with a standards-based interop profile in partnership with IBM, Workday, Ping, and Mattr "so anyone can build compatible digital wallets," Patel notes. Originally described by Patel as a standards-based decentralized identity (DID) system, Verified ID is intended to address the limitations of Microsoft Entra ID services (formerly Azure AD) by enabling the use of credentials beyond the organization.

Gartner forecasts that integration with identity verification (IDV) and access management platforms will become standard by 2027 for onboarding, credentialing, and recovery. Further, IDV could reduce account takeover attacks by 75%, according to Gartner.

"All access management [AM] vendors, including Microsoft and its direct competitors, offer the support to integrate with third-party IDV tools," says Gartner senior research director Henrique Teixeira. "However, only a minority offer their own IDV solution and even fewer are combining it with a biometric authentication solution out of the box."

Facial Recognition Raises Privacy Concerns

While Microsoft promises a more user-friendly and secure approach to digital IDV with Face Check and Verified ID, critics of facial recognition have long decried the potential for misusing the technology. Microsoft's Patel describes Face Check as "a privacy-respecting facial-matching feature for high-assurance verifications," noting that privacy concerns were taken into account.

For one, the company emphasized that neither Microsoft Authenticator, Verified ID, nor the Azure AI services store or retain any of the data or images.

"[When using Face Check], there's a 91% chance that it's me and not somebody else. So even if you got ahold of my phone, you couldn't use it," Patel says. Statistically, he adds, there is a one in a billion chance that a match could be an impersonation attack within a five-minute time window.

Will 91% be reliable enough to satisfy concerns by enterprises providing access to sensitive data? Organizations can decide whether the risk is appropriate for specific types of business decisions and configure the acceptance score accordingly, according to Patel.

Gartner's Teixeira predicts that preventing risks of attacks overshadows privacy issues.

"I believe that the additional benefits of such solutions in reducing the probability of a breach will outweigh the privacy concerns associated with the technology," he says.

The addition of Face Check to Verified ID aims to boost confidence in the credentials that users present. Patel says that Microsoft will soon reveal plans to extend its Face API pattern to verify a broader array of identity attributes, such as verified work history and legal entity verification, through partnerships with Dun & Bradstreet (DNB) and LexisNexis.

Lots of Interest in Facial Recognition

Despite calls for regulation, facial recognition is one of the more popular forms of authentication. When the Biometrics Institute asked which form of biometrics organizations are likely to implement for its 2023 Industry Survey, 45% of respondents said they planned to increase their use of facial recognition. Coming in second was multimodal biometrics at 16%, followed by voice at 9%, iris at 7%, and behavioral at 6%.

"The Microsoft approach is highly valuable for a broader scale of adoption of verified identities and is expected to benefit the entire industry," says KuppingerCole Analysts founder and principal analyst Martin Kuppinger. "This will help in achieving critical mass."

Nevertheless, mass adoption won't happen in the short term, Kuppinger adds.

"Challenges may arise regarding regulatory requirements for certain scenarios, but, basically, the approach helps in strengthening the cybersecurity posture and [ensures] privacy issues are addressed in a well-thought-out manner, avoiding sharing or centrally storing biometric information," he says.

Cost will also be a factor.

"Organizations surely will be keen to understanding the yet-to-be-announced licensing model before making strategic decisions," Kuppinger says.