Most of us are familiar with the countless Hollywood blockbusters that depict scenes where people successfully breach security systems by duping through either presenting fake biometrics like artificial fingerprints or with the facial biometrics of an unconscious or deceased person who possesses the necessary clearance.
In modern terms, this is known as spoofing, and today we will explore the risks and importance of detecting liveness when using biometrics for authentication. This article will provide some background on the topic as well as the possibilities and regulatory measures put in place to prevent this from happening - along with the different types of spoofing attacks and methods of liveness detection.
In the past, authentication systems mainly depended on ‘secrecy’ to determine verification. This would typically include passwords or answering predetermined or undisclosed questions for confirmation - but as most of us have most likely discovered, this can easily get lost, forgotten, or stolen. More recently, the use of biometrics has rapidly gained acceptance with consumers and businesses alike as an easy and secure method of identity verification. After all, simply scanning one’s fingerprints or presenting your face for a selfie is far less frustrating for users.
Additionally, the recent advancements in technology such as artificial intelligence - along with the widespread availability of affordable, high-quality cameras, and the considerable amount of public data for training biometric recognition algorithms - has eliminated any concern for its accuracy or performance.
This, however, means that the biometric data also adds yet another piece of information that must be kept secret. As previously mentioned about the technological advancements for biometric matching - the same can unfortunately also be said for the threat of fraud through spoofing attacks due to freely available data from photos and other sources, resulting in a negative impact on businesses, customers, and their money. Therefore, the industry has now shifted its focus for the validation process to not only match the biometrics for authentication but also to check for liveness of the readings, thereby rendering our biometrics useless to imposters and eliminating the need for secrecy by focusing on uniqueness instead.
Liveness detection is the ability of a system to detect whether the biometrics it is presented with are real - from a live person present at the point of capture, or fake - from a spoof artifact. Whereas using biometric matching for authentication alone can accurately answer the question, ‘Is this the right person?’ - it cannot answer the question, ‘Is this a live person?’
For this reason, liveness detection has become essential for biometrics to gain mainstream adoption and be trusted when used as an authentication method. By incorporating a set of technical features such as AI algorithms that analyse data comprising imagery, sound, lighting, and movement at the point of capture, liveness checks can counter possible fake biometrics presented to a device or attempts made to bypass the authentication process.
Only then can the process continue, and the biometrics be matched by mapping and measuring the features of an existing user - like the distance between their eyes or length of the jawline – and compare them to a biometric template to verify their identity.
To better understand liveness testing, we need to decipher the jargon in this field and get familiar with some of the keywords and terminology. For example, when a potential fraudster – also known as an ‘actor’ - uses a representation of a person’s face and presents it as their own, this is known as using an ‘artifact’ or ‘instrument’ to deceive or ‘spoof’ the system. The artifact is ‘presented’ to the system to ‘test’ its ability - and is therefore referred to as a ‘presentation attack.’ At the same time, the artifact itself is also known as a Presentation Attack instrument (PAI).
Even though the concept for this topic was conceived a couple of decades ago, the existing technology is still in its infancy, and the standardisation, regulation, and certification doesn’t even date back as far as half a decade ago.
The current global standard in this field is ISO/IEC 30107-3 and was established by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2017 but will soon be updated to the new ISO/IEC CD 30107-3 standard.
To be in conformance with the ISO/IEC 30107-3 standard, Presentation Attack Detection (PAD) testing should preferably be performed by a third-party that is recognised by the Fast IDentity Online (FIDO) Alliance. The FIDO Alliance is an open industry association whose mission is to develop and promote authentication standards. Their members include some of the biggest and most well-known companies worldwide, such as Alibaba, Amazon, American Express, Google, Intel, ING, Lenovo, MasterCard, Microsoft, PayPal, Samsung Electronics, and Visa, among others.
A sound liveness check system should be able to detect the following scenarios during PAD testing:
Photo or video attack
A fraudster gains access to a photo or video of an authorised user. Gaining access can be as easy as performing a simple Google search or visiting an individual’s social media account. The fraudster can then use the printed image to create a 2D mask.
Model or 3D mask
Fraudsters invest in three-dimensional masks or custom models that mimic an individual’s physical likeness in more detail to trick the system.
Fraudsters take either a photo or video and, through editing with animation software, create a realistic version of the individual - talking and nodding their head, etc.
There are several methods to detecting liveness, but in general, these can typically be classified as an active or a passive approach.
Active liveness detection requires users to participate in the liveness check by responding to ‘challenges.’ Examples of this participation includes nodding or turning one’s head from side to side, blinking, following a dot on a screen, smiling, speaking a series of words or numbers, leaning into the camera, or recording a short video.
Passive liveness detection requires no action by the user. The liveness detection occurs when the user takes a selfie. Various techniques are possible for passive liveness, ranging from analysing a selfie image to capturing a video, to projecting different lights on the subject.
Which approach is best?
Lowering customer effort is a top priority for most businesses. Therefore, passive liveness detection is the preferable method. Active liveness solutions may cause unnecessary friction, and many ID&V operators see increasing abandonment rates, with some reporting as high as 50%, particularly in emerging markets.
The passive approach closes security gaps without adding friction back into the authentication process. It doesn’t require user education on the process, and it prevents a fraudster from gaining too much insight on how the system works and how to dupe it by knowing where the most resistance lies.
During the current pandemic, the first and foremost use case, as well as an added benefit for this solution, is to prevent physical in-person contact for establishing and verifying identities. Given that liveness detection goes hand-in-hand with biometric authentication, the use cases will be very similar. Some of these would typically include:
Sybrin’s Liveness Detection is available as active, passive, or a combined approach, depending on the use case or business requirements. It is offered as both a mobile and web SDK and is built to conform to the ISO/IEC 30107-3 standards having been successfully tested recently by a third party on level A and B attacks from 10 Presentation Attack Instruments (PAIs), including paper masks, reconstructed faces on busts, videos, live persons, and more.
Our combined use of image processing techniques and neural networks allows us to return a result in less than half a second using only a selfie, resulting in a frictionless user experience. To find out more about Sybrin’s Liveness Detection and how it can improve your authentication process, visit the product page, or contact us to see what other automated solutions Sybrin can offer your business.