Noooo thanks. The day I will happily give away biometric data online has not arrived.
Just let me send you a public key instead.
Hi. Congratulations on the launch.
I'm sorry in advance, this is going to be incredibly negative. I'll sum it up to this: WTF?
What's the motivation to build and launch this? Simplify authentication (it won't)? Make it more secure (it won't)? Make it cheaper (it won't)?
Your terms (https://pixlab.io/terms) are ridiculous. You might be the first SaaS I see that has both a "business-critical" tier and a "no warranty" clause in their terms.
Your "GDPR compliant" terms are out of whack, actually, too. Has a lawyer reviewed this? It's written for end users with no mention of customers or data processing agreements. You don't even have a DPO.
I'm doubly shocked because this looks like a lot of work and care has been put into this; what you built is a prototype at best, yet you're basically screaming that this is an enterprise-ready product you're fully launching.
With Apple and Google supporting FIDO passkeys very soon (https://9to5mac.com/2022/06/07/passkeys-passwordless-sign-in... and https://developers.google.com/identity/fido), why would anybody want to use anything else?
Why should we trust you with face data?
I don’t see any mentions of what you define as “spoof-proof.” Are you performing a liveness check [0] ? Eg can I hold a picture up of someone else’s face, or commandeer the camera feed to play a video of my choosing?
Credential stuffing attacks are old news. Face stuffing attacks are the new hotness.
No independent pen test, no independent security audit or certification, no security standards certification. No thanks.
So I just need a username and a photo of my victim for authentication?
More and more people are getting vigilant in handling and securing their data; this is a rather convenient method, but what makes this challenging is the fact that it can be a delicious target for cyber attackers, and if the company suffers a data breach, malicious actors can get a hold of everyone's identity. They can use it to steal their financial credentials and collect information about the user. Although passwordless authentication would be an excellent way to lessen the effects of cyberattacks, people would be skeptical about how this would turn out.
Sigh. How many times does it have to be stated: facial recognition is not authoritative! Using facial recognition for authentication is flat out wrong, a face image is too game-able, and to make it strong enough not to be spoof-able the in-system expected users will be rejected when they undergo ordinary human facial variation.
I was principal engineer of a leading enterprise FR system through 3 generations of the product, and I have global patents in the technology. This application of FR is flat out wrong and probably illegally fraudulent, because these people must know this technology cannot do what they claim!