Microsoft Entra Verified ID Face Check – A New Facial Verification System Powered By Azure AI

Facial verification is used across most modern devices, such as phones with the face lock feature, and Windows computers with facial recognition as part of Windows Hello. These biometric verification abilities were once considered the most secure verification technologies – but not anymore.

With generative AI taking over everything these days, deepfakes are becoming more and more common. Even when you see someone in an online conference call, it is difficult to verify that they are who they seem. Artificial intelligence is making facial recognition less reliable, and biometric verification mechanisms need to keep up with these threats.

This is the reason Microsoft has recently released the preview of Face Check, which is a part of Microsoft Entra Verified ID. Face Check is a facial verification technology that uses Microsoft Azure’s AI tools to authenticate that the person is actually who they seem to be, in real time. It uses a selfie to verify the facial features of the user and matches it against another verified ID, such as an identification card or a driver’s license.

Face Check actually runs deeper algorithms and has a complex mechanism of functionality, which is discussed in this post.

What is Microsoft Face Check

Face Check is a feature of Microsoft Entra Verified ID – An Azure feature that automates the verification of identity credentials and enables privacy-protected interactions between organizations and users, and is based on open standards.

Face Check builds on top of this technology and provides privacy-protected digital identity verification by comparing the real-time photo (selfie) with a verified ID. Using Azure AI Vision Face API, Face Check ensures accurate match detection, recognition, and essential checks, ensuring the authorized users’ access.

Note that Microsoft clearly differentiates between “facial verification” and “facial recognition” in their documentation. Here is what they have to say:

Facial verification is a consent-based process for proving a person is who they claim to be. Facial recognition tools are controversial and are used for surveillance and investigation without a person’s knowledge by government agencies.

Face Check is normally used where high-assurance access is required, such as high-value business processes or access to sensitive company information.

How Microsoft Face Check works

Face Check verifies the identity of a person by comparing their real-time selfie photo with their Verified ID, which is already incorporated into their Entra IDs. These verified IDs are usually passports, government documents, or driver’s license photos.

To ensure that no one can replace a static, two-dimensional image of a person during the verification process, the real-time selfie is subjected to a “liveliness” check. The liveliness check is capable of identifying a wide variety of spoofing techniques.

Instead of using the entire face for verification, Face Check just examines certain facial features, including the locations of the eyes and nose, to determine a “confidence score” indicating how similar the two images are. The same logic also applies to the Windows Hello feature on Windows devices. The confidence score is then generated in percentages, where the default “match” score is 70 percent.

If the confidence score is 70 percent, then the Face Check indicates that the selfie photo and the verified ID are a match. However, the verification threshold can be dropped to as low as 50 percent, if needed.

When the passing threshold is met, Face Check forwards whether the verification is successful or not to the verification authority – no other personal data, such as the verified ID, is shared with the verification authority. Hence, Face Check is deemed as a “privacy-respective” tool. Once verified, the user is allowed to access whatever they are allowed to by the organization.

How Microsoft Face Check can be used

One thing is for certain – Face Check can be used by organizations, and not individuals to authenticate themselves on their home PCs.

Face Check can be used to streamline the process of onboarding employees remotely. Rather than waiting for individual documents and verifying them, organizations can verify employees remotely and grant them access. The onboarding process is thus expedited and streamlined by Face Check’s quick online identity verification.

When it comes to preventing unauthorized claims during password resets and passkey activations, Face Check is an extremely effective defense. It strengthens authentication procedures and reinforces security measures by incorporating facial recognition technology.

Moreover, Face Check can be used for verification processes where privacy is of utmost importance Rather than sharing the user details and personal identification information, Face Check only shares the results of the verification with the organization, and not the verified ID document or its details.

How to use Microsoft Face Check

The Face Check technology is still in its preview state. However, if you are a part of an organization that uses Microsoft Entra, you can test out Face Check.

To do that, you must have the Microsoft Authenticator app installed on your phone and signed in using your Entra ID. Moreover, your system administrators must also set up a Microsoft Entra Verified ID.

If these prerequisites are met, then you can follow these steps to check and use Microsoft Entra Verified ID Face Check:

  1. Once the Verified ID service has been configured, you must then create a VerifiedEmployee credential.

    As the cornerstone, this credential permits instantaneous photo comparisons with the Verified ID associated with the user’s profile picture.

  2. Now sign into the Microsoft Entra admin center.

  3. Go to the “Verified ID” section and click Credentials.

  4. Click “Issuing credentials”.

  5. Now select one of the following options:

    • Allow all users
    • Allow users from selected groups
    • Allow all users except for selected groups
  6. Now, create a test user account in Microsoft 365 and make sure that a profile picture is uploaded.

    The profile picture will be used as a verified ID.

  7. Now log into MyAccount and select “Get my verified ID“.

    This will retrieve the Verified ID credential for the user.

  8. Now proceed to Microsoft’s public test app designed for Face Check testing.

  9. Click “I already have my card” and proceed to the next step.

  10. Now scan the QR code with your phone and enter your Entra ID credentials.

  11. When the Authenticator App launches, take a selfie with it.

    The app will cross-verify the image with the verified ID.

After performing the steps above, the matching confidence score will be displayed on the Authenticator and the user needs to share the presented credential and score with the test app.

To learn more about how to use the Face Check feature, refer to this Microsoft guide post.

Using the Face Check API

Using the Azure Active Directory registered application, you can utilize the following API to facilitate facial check implementation:

Presentation Request with Face Check

This API can be used for the following purposes:

  • Generate a Verified ID credential associated with a user’s photo.
  • Issue Verified ID credential that includes Facial Check verification.
  • Receive notifications for successful and failed Face Check events.

Conclusion

At the moment, since Face Check is in its preview, it is free to use. However, once a stable release becomes available, Microsoft will be charging $0.25 per transaction.

That said, I believe that Face Check is worth its money as it saves manual verification time, and is even more secure than conventional verification methods.

If you liked this post, Share it on:
Subhan Zafar is an established IT professional with interests in Windows and Server infrastructure testing and research, and is currently working with Itechtics as a research consultant. He has studied Electrical Engineering and is also certified by Huawei (HCNA & HCNP Routing and Switching).

2 comments

Leave your comment

Get Updates in Your Inbox

Sign up for the regular updates and be the first to know about the latest tech information