Aware white paper examines the state of biometric liveness
The importance of liveness detection in mobile onboarding and a range of other use cases is clearly seen in the demand for effective liveness in the market, as customers attempt to stay ahead of increasingly sophisticated fraud attempts. Liveness also ensures the integrity of other biometric onboarding functions, such as driver’s license checks and biometric watch list checks.
A new white paper from Aware titled “Liveness detection in biometrics is essential for mobile authentication and onboarding” argues that there are important factors in liveness detection that need to be kept in mind when considering how well the technology really works.
Aware Vice President of Marketing and Product David Benini suggests that liveness algorithm testing, and therefore evaluation, is as challenging or more so than biometric matching, and is still not understood well by customers and many within the industry.
“It’s an interesting topic because liveness technology is at a point where there’s still a lot that’s not understood about it, in a way that’s reminiscent of when biometrics first began to be used for mass-market applications,” Benini told Biometric Update in an email interview.
Some challenges to liveness implementations remain, and Benini warns that a lot of traditional liveness techniques are not sufficiently opaque, and may ultimately compromise on user experience while undermining their own security.
“There are liveness techniques that require some interaction with the user, such as a challenge and response, like a blink or head movement. But these tend to not only add friction to the user experience but also potentially instruct a fraudster on how he might try to defeat the mechanism,” he argues. “For example, a technique relying on blink detection might advise a fraudster to try to simulate a blink or use a video of their victim that includes a blink.”
The standard for presentation attack detection (PAD) is set by ISO/IEC 30107-3:2017, which stipulates a standard review lifecycle of every five years, and sets out the “principles and methods for performance assessment.”
Independent third-party testing to the ISO/IEC 30107 PAD standard is performed only by iBeta and the UK’s National Physical Laboratory (NPL). Few other laboratories, including the Swiss Center for Biometrics and the Idiap Research Institute, provide biometrics testing, and NIST and the FBI provide certification for certain standards, but not liveness testing according to the ISO/IEC standard.
“While ISO 30107 provides a process for testing liveness performance, it leaves it to the market to set performance thresholds for a given application, and this is what the FIDO Alliance has done in their biometric performance certification spec,” Benini explains. “But labs are also providing different testing services and reports that ‘certify’ that the test was performed in a 30107-compliant manner, regardless of the performance outcome.”
Further, identity concealment attempts are the primary PAD concern for onboarding applications, rather than impersonation attempts. Because the former does not necessarily involve what is called in the white paper a “genuine biometric reference sample,” the range of potential spoofs which must be detected is much broader, according to Aware.
Testing results, particularly presented in brief, do not necessarily capture such nuance, Benini argues.
Testing and certification
IAPMR (Impostor Attack Presentation Match Rate) measures the ability to detect presentation attacks on an existing biometric image. This statistic, therefore, is “not relevant” to onboarding, according to the white paper.
APCER (attack presentation classification error rate) and BPCER (bona fide presentation classification error rate) are more analogous to FMR and FNMR in biometric matching, the white paper says, and therefore important to a full understanding of how effectively a liveness technology has performed. Because they measure false positive and negative error rates in classifying spoofs, APCER and BPCER are particularly important for onboarding applications where authentication is not performed.
“As I mention in the paper, I think that 30107, FIDO, and the labs are all contributing greatly to helping making sense of this technology. But the certifications really need to be considered as just one factor in a product assessment,” Benini contends.
“For example, as we’ve seen with some results reporting, An APCER can be reported as perfect, with no spoofs missed. But if this result is achieved by artificially setting thresholds to do so, the BPCER might be quite high. A BPCER of 30 percent, as we have seen reported, means that genuine users will experience false positives 30 percent of the time. Those settings are not feasible for a real deployment, and so the APCER result isn’t terribly meaningful in this case.”
Benini also points out that like biometric matching, liveness needs to work in a variety of light conditions, and with a variety of different faces for real-world applications. These variations should ideally be, but are not necessarily always accounted for in the testing process.
Browser-based liveness detection is increasingly in demand, according to the white paper, to increase the convenience of the technology by removing the need to install an additional mobile app during the onboarding process.
Ultimately, Benini suggests that rather than outsource the entire process, banks can do their own research to try to proactively identify potential weak spots, as they may do with any other security check. They should also consider the use case carefully, and determine whether they need to train or configure the algorithm to optimize it for defense against a certain kind of attack, he advises.
Aware is planning to talk more about how its customers are using Knomi for authentication and onboarding, and how liveness detection comes into play in different scenarios, according to Benini. The rest of the industry, and companies in many verticals relying on secure online identity will also be discussing biometric liveness, as the technology increases in prominence and importance.