Considerations for Security by Design

Applications security isn’t a feature or a benefit – it is a bare necessity. By making your FACEIO application more secure, you help preserve user trust. It is important that you be familiar with the FACEIO security best practices in this document. Following these practices as general integration habits reduces the likelihood of inadvertently introducing security issues that adversely affect your users.

The Application Manager on the FACEIO Console provides an implementation of the security best practices related to securing your applications. This guideline shows how to work with the application recommended security configurations. If you have any questions about the security practices or settings, please visit the discussion forum or open a new support ticket via the console.

Security Settings

The following core security features help you build secure FACEIO applications. Please review each of them carefully. You can enable/disable security settings at your ease on the Application Manager.

Reject Weak PIN Codes During Enrollment
  • Enabled by DefaultNo

  • Description: During enrollment, each user is invited to choose a PIN code of his choice that must be at least 4 digits long (and no more than 16 digits long). On future authentication, this user is then required to confirm his PIN code whenever one of the following events occurs first:

    • A collision is triggered, where two extremely similar faces are reported. This might happen on very large indexes, or when the same user has enrolled twice.
    • A face match is completed with a confidence score slightly lower than 99% threshold.
    • Or when your application always enforce PIN code confirmation. This feature is enabled by default for maximum security, and can be turned off via the setting below.
    Once the user being authenticated confirm his PIN code, the authentication process is successfully terminated and access is granted. If this option is enabled, weak PIN codes such as 0000, 1234 and similar patterns are rejected during enrollment and must be replaced by another robust one.

  • Always Ask for PIN Code During Authentication
    • Enabled by DefaultYes

    • Description: During authentication, when this option is turned off and the resulting facial recognition process clearly report single face match with near-perfect, high confidence score (usually higher than 99% threshold), then FACEIO shall not ask for the target user’s PIN code and access is granted. If on the other side, this option is enabled (default case), the user being authenticated is then required to confirm his PIN code for access to be granted. In case of invalid PIN code supplied (after three trials), the authentication process is aborted and control is transferred to the host application (i.e. your webapp) with appropriate error code. Highly sensitive applications such as banking apps are required to turned on this option.

    Enforce PIN Code Uniqueness Among Users
    • Enabled by DefaultNo

    • Description: During enrollment, each user is invited to choose a PIN code of his choice that must be at least 4 digits long (and no more than 16 digits long). If this option is enabled, the system ensure that the chosen PIN code is unique among other users PINs on this application.

    Ignore Obscured and Partially Masked Faces
    • Enabled by DefaultYes

    • Description: By default, obscured (under poor lighting conditions) and partially masked faces (i.e hat and sunglass combination, medical mask, etc.) are automatically discarded from the recognition process, and another frame is requested by the system until a clearly visible face is detected. When this option is turned on, obscured or partially masked face are included in the facial recognition process.

    Reject Missing or Empty Origin/Referer HTTP Request Headers
    • Enabled by DefaultYes

    • Description: When enabled, this option shall reject fio.js instantiation when the Origin (or Referer) HTTP request header is missing from the browser that initiated the request. This is a minimalistic security feature against forged requests. You can further restrict fio.js instantiation with your application Public ID to specific domain names you define.

    Restrict Widget Instantiation to Authorized Domain Names Only
    • Enabled by DefaultNo

    • Description: When enabled, this option shall restrict fio.js instantiation to specific domain names you define. That is, no other domain names except the white listed ones will be able to instantiate fio.js with your application Public ID, and perform facial Authentication & Enrollment. You can configure the list of allowed domain names via the Application Manager.

    Restrict Widget Instantiation to Authorized Countries Only
    • Enabled by DefaultNo

    • Description: When enabled, this option shall restrict fio.js instantiation to specific countries you define. That is, no other IP addresses except those belonging to the authorized countries will be able to instantiate fio.js with your application Public ID, and perform facial Authentication & Enrollment. You can configure the list of allowed countries (ISO-3166-1 Code) via the Application Manager.

    Enable Webhooks
    • Enabled by DefaultNo

    • Description: Webhooks allow you to receive data and get notified at real-time about the ongoing events during the interaction of the FACEIO Widget with your users in-order to keep your application backend up-to-date & synchronized. FACEIO uses Webhooks to let your system know when such events happen. Events includes new user enrollment, facial authentication success, facial ID deletion and many other events.
      When an event occurs, FACEIO makes an HTTP POST request to the URL you configured for the Webhook. FACEIO’s request will include details of the ongoing event such as the Unique Facial ID of the user in question, its gender and age in case of new enrollment, timestamps, event type, IP information and many other details. You can find out more information about webhooks here, and configure your endpoint URL via the application manager.