You might find "facecerts" interesting. http://www.computer.org/proceedings/dcc/1896/18960435.pdf This is more for face-to-face checking, however. For your remote scenario some sort of one-way hash to verify the image might be intersting. It would have to allow for fuzzy matching after hashing (for obvious reasons). I think this just raises the bar a tiny bit though, as an attacker could stalk their victim before stealing their card to get an idea about what appearance to forge. (or capture webcam traffic before lifting the card / identity info) Cheers, Adam Lydick On Tue, 2003-07-08 at 12:16, Major Variola (ret) wrote:
Authentication is "Something you have / know / are."
A simple plastic credit card + PIN provides the first two, including a photo provides the third "something you are". A face is more often checked than the readily forgable signature, in live authentication.
But as cameras become ubiquitous (e.g., in cell phones) some extra security could be obtained for *remote* authentication by sending a trusted photo of the account holder plus a live picture of the card user.
A picture glued into the card could be forged, but a smartcard (with more data area than a magstripe) could include a picture of the account holder, so a thief has no idea what to look like. But the vendor can check the encrypted smartcard face to the face on the phone or webcam. For high-value remote transactions, where you pay someone to check faces, this might be viable in a few years. In a few years after that, machines might be able to check faces more cheaply, as reliably.
The live face-check with embedded digital photos is already standard practice on high-security building-entry cards (and passports?), with the guard comparing the card-embedded face to the one before him. Ubiquitous cameras will bring that face-check to remote transactions, reducing cost due to lower fraud.
Thoughts?