Researchers develop Captcha-based anti-spoofing technique to supplement biometric authentication methods
Cybersecurity researchers at the Georgia Institute of Technology have developed a “Real-Time Captcha” anti-spoofing technique for facial recognition authentication, ScienceDaily reports. Mobile device users authenticating with facial video or images are given the “challenge” of answering a simple but randomly-selected question in a time-frame which is too short for AI or machine learning programs to respond in.
The technique is meant to supplement image and audio-based biometric authentication methods. The research was supported by the Office of Naval Research (ONR) and the Defense Advanced Research Project Agency (DARPA), and was described at the recent Network and Distributed Systems Security (NDSS) Symposium 2018 in San Diego, California.
“The attackers now know what to expect with authentication that asks them to smile or blink, so they can produce a blinking model or smiling face in real time relatively easily,” said Georgia Tech School of Computer Science graduate research assistant Erkam Uzun, the paper’s first author. “We are making the challenge harder by sending users unpredictable requests and limiting the response time to rule out machine interaction.”
The challenge question is embedded in a Captcha image, and in testing with 30 subjects, humans were able to respond within one second, while the fastest machines tested took between six and ten seconds to respond.
“Using face recognition alone for authentication is probably not strong enough,” said Wenke Lee, Georgia Tech School of Computer Science professor and co-director of the Georgia Tech Institute for Information Security and Privacy. “We want to combine that with Captcha, a proven technology. If you combine the two, that will make face recognition technology much stronger.”
The researchers identified the top challenges going forward as recognizing speech in noisy environments, and securing the connection between the camera and server.
As recently reported, BioID has developed a new liveness detection feature that will detect photo, video, and avatar attacks for its biometrics-as-a-service solution.