Feb. 3, 2020, 18:02 p.02.
Facial authentication is a great way to protect virtual content.But like all security features, it too has some dangerous loopholes.
With enhanced camera features, 2D or 3D printers, or animation, it is very easy to create fake images that can pass for an actual face. These are what are known as presentation attacks. Preventing presentation attacks is where liveness detection comes in, and now it’s easier than ever to implement with the Facial Recognition API from Chooch.
While facial recognition is a good tool for authentication, liveness detection algorithms take care of its vulnerabilities and make sure that these biometric modalities are not compromised in any way. The National Institute of Standards and Technology facial recognition has an accuracy of 99.7%. And the remaining 0.3%?
Facial recognition, while being a very useful biometric modality, is susceptible to attacks and attempts by fraudsters to destroy its security measures. These attacks are known as presentation attacks or “spoofs”. To get past the biometric security measures and protection systems placed, a fraudster will provide a non-live image, false printed or digital photograph. Videos or masks are also used to impersonate a particular person and assume a fake identity.
Presentation attacks are usually of two types and these types depend upon the kind of result the fraudster wishes to cultivate.
In a one-to-one biometric comparison, if the fraudster is successful, it is a false match as the fraudster has been able to avoid detection by providing a sample image of the targeted victim. Once this happens, the fraudster will be able to go through the victim’s account, having access to all the applications.
If the fraudster creates one account or multiple new accounts of the victim by using an image that will not work in a biometric watch list (especially if the facial features are somehow masked) or duplicate search, it is a false non-match. These false non-matches are very difficult to identify and track as there are too many such accounts.
To avoid these attacks, liveness detection is very important. In mobile onboarding, the risk of such attacks or attempts of fraudsters will remain, but this can be prevented if liveness detection algorithms are used.
These algorithms can easily select false, non-live images, even if they cannot be used in biometric watch list searches. Liveness detection algorithms can be easily combined with multimodal biometrics, for example, voice recognition, and this strengthens the security measures. If these precautions are not taken, then facial recognition will not be secure from spoofs or presentation attacks.
The primary job of liveness detection techniques is to provide the maximum security possible and to prevent fraudsters from taking advantage of the existing biometric modalities.
Liveness detection techniques are not meant to compromise the user’s experience of using an application, in any way. The different techniques implemented try to minimize interaction with the user so that there are no interruptions that can affect the usage of the application.
As the name suggests, this form of liveness detection algorithm requires the user to be active in some. The user might need to wink, smile or shake his or her head. While this prompts a certain level of interaction, the advantage of active liveness detection is that the user will be completely aware during the process.
The technique depends upon algorithms that can detect if any part of the image is false. These algorithms check discrepancies in the image, for example, masks, any kind of distortion, or different textures. Passive liveness detection happens in the background and as it is not even visible to the user, fraudsters find it difficult to get through.
A hybrid liveness detection technique, while not interacting with the user is not exactly opaque. Therefore, it can still be detected by fraudsters and evaded.
To certify a liveness detection product, its ability to perform is tested. These tests usually involve the use of spoofs to try and get across the biometric security measures.
If the liveness detection product is successful in outing these spoofs, and if its performance is according to international standards, then the product is certified. However, these tests might have different settings that might change after production or the spoofed content used might not cover the range of attacks that the product may have to face.
There are also some tests that are not of much use in mobile onboarding and the performance of the product in such cases becomes rather irrelevant.
Now, if one tries hard enough, it is possible to overcome any security measures, even those of liveness detection. Therefore, before a liveness detection product is certified, it has to go through rigorous evaluation procedures. This will ensure that all possible vulnerabilities are covered.
Facial Authentication from Chooch AI has been tested by partners and was found to be spoofproof with liveness detection. If you’d like to do your own testing, please create an account at Chooch and install our API. More about Liveness Detection for presentation attacks is in our API Documentation.