Alibaba unveils 'smile-to-pay' tech

This is part of the drive towards passwordless experience where Alipababa is one of an illustrious line up of FIDO members engaged in launching new forms of strong authentication. Read more about UAF and U2F protocols that support this at The Passwordless Experience is set to transform the way we pay.

It is very impressive to see new way of authentications coming to surface as the technology advances. Biometric or in a broader perspective "something you are" is very cool way of authenticating someone but at the same time compare to other authentication methods: if some reason or some way you loose it (or lets say if it is stolen) - there is no way to reproduce or recreate or change (your face, fingerprint, voice, iris etc). I am not against biometrics, actually support it and believe it would be the future of authentication. However it is wise to careful and wait till the way this technology getting more mature - before distributing your physical elements every where. As there is no return once it is stolen...

Hmmmm anyone sees how this could go horribly wrong ? Can app really make difference between a real face and a poster size picture...

Any solution using biometric data like fingerprints, facial expressions, iris scanning etc faces the risk of data theft. To mitigate this risk the vendors design solutions where biometric data is stored locally on the phone, in a secure co-processor. To authenticate the user, the mobile app asks the phone's operating system: "Please authenticate the user" and gets a ok/not ok response back. So far, all well. The biometric data is protected and will never leave the secure co-processor.

As far as I know facial reckognition is not a standard phone feature so in this case the Alibaba app would need to protect biometric data both at rest and when the app is using it.. and that's not easy. Also note that nothing restricts the app from sending the data to a central server with all the security and privacy implications that follows.