As a follow up to my post about the importance of the Knowledge Factor and the story on how “Cops can legally force you to unlock your phone with your face” this article from the SMH highlights how we all need to understand the difference between identification and authentication:
Facial biometrics are, without doubt, essential for identifying bad actors. They provide great protection to critical services and the community as a whole.
But what about the individual being identified? What happens when something goes wrong and a person is incorrectly identified as a bad actor? Or what if that person is correctly identified (neither as a good or bad actor) but then there's a claim that person did something they really didn't do.
How could you prove you didn’t do it!?
The whole point of the “Cops can legally force you to unlock your phone with your face” story is that facial biometrics can be used to passively authenticate you (aka identification), rather than you choosing to actively authenticate yourself.
This is another reason why the Knowledge Factor (something you know) is so important because intent, or expression of will, is required (even under duress which can then be claimed) to confirm approval for any given action.