9.11 Facial Recognition

Advanced Authentication provides advanced biometric authentication with the Facial Recognition method. This method allows users to get automatically authenticated by presenting their face. The image of the face is captured by an integrated or external camera and recorded by the Microsoft API server, when the user enrolls the method. When the user tries to authenticate on an application, the recorded image is compared with the actual image. If the images match, the user is authenticated.

IMPORTANT:It is recommended to configure the blink detection or combine the Facial recognition method with another method in a chain to enhance security.

You can configure the following settings for the Facial recognition method:

WARNING:You must have the Advanced Authentication Device Service installed to use the Facial recognition method for logging in to the following:

  • Operating System: Windows, Linux, and Mac workstations.

  • Integration: OAuth 2.0 and SAML 2.0.

9.11.1 Generating Access Key and Endpoint URL

Before you configure the Facial Recognition method, you must generate the Access Key and Endpoint URL from the Microsoft Cognitive Services.

To generate the Access Key and Endpoint URL, perform the following steps:

  1. Click Get API against Face API.

  2. Agree to the license agreement.

  3. Login with the preferred credentials.

  4. Capture the Access Key and Endpoint URL for the Face API.

    While generating the access key for the Face API, two keys are displayed. You can use anyone of the two keys.

9.11.2 Configuring Facial Recognition Method

To configure the Facial Recognition method, perform the following steps:

  1. Click Methods > Facial Recognition.

  2. Specify the Access Key that you have generated in the Microsoft Cognitive Services. This key is used while authenticating the user.

    For information about how to generate the Access Key in the Microsoft Cognitive Services, see Generating Access Key and Endpoint URL.

  3. Specify the Endpoint URL. This URL is location based.

    NOTE:The Endpoint URL must contain face/v1.0 at the end.

    For example: https://westcentralus.api.cognitive.microsoft.com/face/v1.0.


  • For a better quality of recognition, you must use cameras with a high definition of 720p and above.

  • During enrollment, the captured images are placed on Microsoft servers and Microsoft Cognitive Services returns only the Face ID to Advanced Authentication. The Advanced Authentication stores this Face ID as enrolled authenticator. Therefore, when you change to another Access Key, the related enrollments are lost.

  • This method is not supported for cache of Windows Client, Mac OS X Client, and Linux PAM Client.