Can pictures break Zengo’s biometrics security?

Zengo relies on face biometrics as one of the methods to securely restore your account. Can anyone with access to a picture of your face break into your Zengo account?

The debate got heated last week as the CEO of a competing wallet decided to go to Twitter to prove that this is possible (and failed). We will go through the details of how our system works in this post and even invite you to a challenge.

TL;DR: Let’s first end the suspense and answer the question above. No, it does not work. The answer is in the images and video below. Now you can relax and read quietly for the rest of the post.

Let’s start with a little bit of drama. Your faces are scanned all the time. Everywhere, deep fakes are going to ruin our lives and there is nothing we can do about it. Spooky.

Biometrics in the era of face recognition and deep fakes

Those new facts bring legitimate concerns about how secure those services use biometrics. And because we also rely on biometrics, it’s a constant area of research and interest for us. Facts matter.

Reminder: How Zengo keyless backup works

Zengo is a keyless crypto wallet that relies on multiple factors to authenticate the owner of an account. Unlike traditional wallets, Zengo doesn’t generate a private key that can be spent, but distributes the security between the owner’s device and Zengo servers, even at the time of signing.

To authenticate the owner, three factors are required: email verification, the user’s cloud access, and live face authentication (provided by FaceTec). Without all three factors, an attacker will not be able to access your funds. 

The security model of Zengo is explained in detail here and how biometrics security work here. We also invite you to learn more about liveness .

The truth and the tests

Let’s get to it. How does Zengo behave when you present high-quality pictures? We test our systems all the time, but here is a recent sample of our own experimentations

Although our partner FaceTec already made countless tests, we went further and wanted to test high-quality 3D masks.

Even a high-quality 3D mask couldn’t break in. High-quality 3D masks, used by some for criminal impersonation, are composed of hundreds of high-quality pics made of your face. Even that was not enough!

How a 3D mask is made – 200 cameras for 1 mask
3D mask in preparation

Results of the tests? #Fail

The Challenge

You don’t need to believe us. Create an account on Zengo today and see for yourself. 

  1. Enroll your real face in Zengo
  2. Use the “Test My Face Map” feature from the Keyless Backup screen on the Account tab. 
  3. Use any picture or a high-resolution video of yourself. 

how to test your Face

Voila! The picture will not match your real face map. It will fail. 

We run continuous security audits, and internal and external challenges to stress test and improve our own systems and also engage with security researchers. We build security systems that rely on multiple factors that users control, which we believe provides a new convenient and safe trade-off vs. the typical password-only based systems.

Breaking into our face authentication alone with pictures is more than challenging, plus the technology is continuously improving and getting better.  Finally, FaceTec has a $600,000 USD challenge for you. 

You can now return safely to your Zengo account.