Your Face Just Became a Password You Can Never Change

Picture this: you open a government app to check your driver's record or pay a bill, and it tells you to look into the camera before it lets you in. Not because you forgot your password. Because the system has decided your face needs to be checked again — regularly, on an ongoing schedule — just to confirm you're still you.

That's not science fiction. That's what's happening right now in Malaysia, where a digital ID system called MyDigital ID just announced it will require periodic facial re-verification for all its users. And if you think this is someone else's problem, you haven't been paying attention to how fast these systems spread.

From Optional to Mandatory — That's the Real Story Here

Here's what makes this announcement different from every other "we added face unlock!" news story you've scrolled past.

Most apps ask for your face once. You set it up, it saves it, you move on. What Human Resources Online is reporting — and what ID Tech Wire confirmed — is that MyDigital ID is making re-verification a recurring obligation. Not a one-and-done. A permanent condition of access.

The system already has 2.8 million registered users. It's woven into government platforms including the MyJPJ app, which Malaysians use for transport and vehicle services. So when the National Security Council (Malaysia's central authority on this) says existing users will be required to re-verify their faces periodically, that's not a suggestion. It's a requirement baked into the infrastructure people depend on for real-life tasks. This article is part of a series — start with Why Fake Faces Look More Real Than Genuine Photos.

"For existing users, they will be informed of the requirement to undergo periodic facial biometric re-verification as part of ongoing efforts to ensure the integrity and security of their digital identities are continuously safeguarded." — Malaysia National Security Council, via The Star (Malaysia)

Read that again slowly. Continuously safeguarded. That's the language of a system that isn't going to ask your permission after the first time. It's going to keep asking. And the more you comply — which, honestly, you'll have to if you want access — the more your face becomes part of an ongoing identity database, not just a one-time photo on file.

Why Your Face Is Not Like Your Password

There's something most people don't know — and something the "tap here to verify" prompt will never tell you.

If someone steals your password, you change it. If someone steals your credit card number, you get a new one. But your face? Your fingerprint? There's no reset button for those. The Office of the Victorian Information Commissioner put it plainly: biometric characteristics — meaning the physical things that are uniquely you, like your face, fingerprints, or iris pattern — "cannot be reissued or cancelled." If that data is ever exposed in a breach, you cannot get a new face. You are permanently affected.

That's not a hypothetical. Data breaches happen constantly. Government systems get hacked. Databases get sold. And when what's in that database is a detailed map of your face — not your password, not a PIN, but your actual physical identity — the stakes are permanently higher than any other kind of account compromise.

This is why Malaysia's move isn't just a technology story. It's a question about consent. You might agree to scan your face once, under certain conditions, for a specific purpose. But agreeing to recurring re-verification, tied to ongoing government access, is a fundamentally different deal. Most people won't read the fine print. Most people will just tap through.

The Deepfake Problem Is Why They're Doing This — And Also Why It's Complicated

To be fair to the systems pushing this: they're not wrong that facial verification is stronger than a lot of alternatives. The reason governments are upgrading to face-based checks right now is that deepfakes — AI-generated fake videos and images that look completely real — are getting frighteningly good. Fraudsters are using them to impersonate real people during identity checks. The systems fighting back need something harder to fake than a selfie or a scanned document. Previously in this series: Your Face Is Just 128 Numbers And A Seal Just Proved It.

According to Biometric Update, the facial recognition market itself is fragmenting in 2026, with different countries building their own identity architecture — meaning we're heading toward a world where multiple regional systems all demand your face, under different rules, with different levels of protection.

Modern face verification systems use something called liveness detection — essentially, the system checks that you're a real, living person in the room right now, not just a photo or a video being held up to the camera. That's genuinely useful. That does catch fraud that older systems miss. But here's the catch: even liveness detection isn't perfect against sophisticated deepfake attacks, and the race between the fraud tools and the detection tools is ongoing. When governments mandate face re-verification as a security measure, they're essentially betting their entire identity infrastructure on staying one step ahead of deepfake technology. That's a high-stakes bet that regular users never agreed to be part of.

The deeper issue isn't whether face scanning works. It's that when re-verification becomes a routine habit — something you just do every few months to keep your account working — people stop thinking of it as a serious identity decision. It becomes like clicking "agree" on a terms-of-service update. Automatic. Unexamined. And that's exactly the moment when your guard is down.

This Is Coming Closer Than You Think

Malaysia isn't an outlier. Malaysia is a preview. The same pressure — deepfake fraud getting worse, password-based systems proving inadequate, governments wanting stronger identity verification — exists everywhere. The Malaysia National Security Council's announcement is just the most concrete, consumer-facing example of a shift that's happening across digital ID systems globally right now.

Think about how many apps already have a "verify your identity" step. Your bank. Your healthcare portal. Your government tax or benefits login. The travel apps. Each of those is one policy decision away from adding a periodic facial re-verification requirement. And once they do, opting out won't be realistic — because opting out means losing access to things you actually need. Up next: The Most Real Face Youll See Today Was Never Born.

Here's the thing — if you've ever looked at a profile photo and wondered whether the person is really who they claim to be, that's the exact question these face-verification systems exist to answer. The technology itself, when done right and with proper safeguards, does solve a real problem. The risk isn't the face scan. The risk is doing it without knowing the terms. Knowing what questions to ask — who stores it, how long, and whether you can delete it — is genuinely useful before you tap through. That three-question check takes about 30 seconds and it's the difference between informed consent and just going along with it because the screen told you to.

Malaysia's legislation is already going further. The Dewan Rakyat — Malaysia's parliament — passed an amendment to the National Registration Act that would require biometric data collection for all national ID holders: ten fingerprints, iris scans, and facial images. This isn't a pilot program. This is a country redesigning its entire identity architecture around biometrics as the default, not the exception.

And the question nobody's asking loudly enough yet: once periodic re-verification is normal, once your face is part of an ongoing relationship with a government identity system rather than a one-time enrollment — what happens when that database is breached? What does "your identity was compromised" even mean when the thing that was compromised is your actual face?

You can get a new password in 90 seconds. You've had the same face your entire life. Treat accordingly.