Our previous article discussed the importance of detecting liveness when using biometrics for onboarding and authentication, the different methods to approach this, and what liveness detection in general involves. This article will take a closer look at the processes and standards when testing a solution against spoof attacks.
In recent years, we’ve witnessed a higher interest in using biometric data for authentication, which led to an increase in the availability of suitable devices such as webcams, smartphones, tablets, and other gadgets with the relevant technology and sensors to capture the data.
With these rapid innovations in biometric capturing and identity verification, and the constant improvement in data quality, standardisation parties have identified the need to provide a proper framework. Consequently, the ISO/IEC 30107-1 standard was published around half a decade ago. However, it wasn’t until almost two years later that they published the standard for testing these solutions against spoof attacks; ISO/IEC 30107-3. The timing could not have been any better, with the circumstances for the current pandemic having created a greater urgency for remote onboarding and authentication solutions. The ISO/IEC 30107-3 standard establishes the principles and methods for PAD testing.
Presentation Attack Detection (PAD) testing is the assessment of the capabilities of a biometric liveness detection system to detect active spoof attempts under controlled and varied conditions to conform to the ISO/IEC 30107-3 standards. This should ideally be performed by a third-party testing laboratory that is accredited by the Fast IDentity Online (FIDO) Alliance, the EU’s Biometrics Evaluation Testing (BEAT) project, the US’s National Institute of Standards and Technology (NIST), or any other relevant institution.
With the advent of Covid, branch visits have practically become obsolete, while many people now prefer to transact remotely instead. Without a physical face-to-face interaction, it becomes more difficult to verify the identity of a person, increasing the risk for fraud. Therefore, the ability of a system to detect if a person is real and physically present when performing tasks like authorising transactions or opening accounts, becomes crucial – and this can only be achieved by a system that has been put through its paces.
A common misconception is an assumption that an accredited institution can certify a vendor’s solution after it passes the testing. Yet, despite the current ISO standard, there is no testing protocol in place, and consequently, there is no certification for PAD testing and liveness detection available on the market.
The tests are solely performed according to the ISO/IEC 30107-3 standards by trying to fool or spoof a system by presenting various artifacts to falsely represent existing biometric data and embody a wide variety of ethnicities and age groups in the process. These attack examples are known as Presentation Attack Instruments (PAIs) and fall within two test levels under the current ISO requirements:
Paper printout of a face image or a mobile device displaying a face photo.
Paper masks or a video display of a face with movement and blinking.
It was crucial to Sybrin that we accommodate for the diversity prevalent in our markets. Our testing criteria were selected to defend against the most extensive attack diversity on the market.
Our solution was successfully tested by the FIDO-accredited biometric laboratory, Fime, on level A and B attacks from numerous PAIs, including paper masks, reconstructed faces on busts, videos, live persons, and more. Our SDK passed rigorous assessments against criteria based on FIDO Biometric Certification Requirements v1.1 (FIDO1.1) and in accordance with ISO/IEC 30107-1 and ISO/IEC 30107-3:2017 and has been declared to conform to this standard.
Sybrin’s Liveness Detection is available as active, passive, or a combined approach, depending on the use case or business requirements. It is offered as both a mobile and web SDK and is built to conform to the ISO/IEC 30107-3 standards.
Our combined use of image processing techniques and neural networks allows us to return a result in less than half a second using only a selfie, resulting in a frictionless user experience. To find out more about Sybrin’s Liveness Detection and how it can improve your authentication process, visit the product page, or contact us to see what other automated solutions Sybrin can offer your business.