Aware white paper examines the state of biometric liveness
The importance of liveness detection in mobile onboarding and a range of other use cases is clearly seen in the demand for effective liveness in the market, as customers attempt to stay ahead of increasingly sophisticated fraud attempts. Liveness also ensures the integrity of other biometric onboarding functions, such as driver’s license checks and biometric watch list checks.
A new white paper from Aware titled “Liveness detection in biometrics is essential for mobile authentication and onboarding” argues that there are important factors in liveness detection that need to be kept in mind when considering how well the technology really works.
Aware Vice President of Marketing and Product David Benini suggests that liveness algorithm testing, and therefore evaluation, is as challenging or more so than biometric matching, and is still not understood well by customers and many within the industry.
“It’s an interesting topic because liveness technology is at a point where there’s still a lot that’s not understood about it, in a way that’s reminiscent of when biometrics first began to be used for mass-market applications,” Benini told Biometric Update in an email interview.
Some challenges to liveness implementations remain, and Benini warns that a lot of traditional liveness techniques are not sufficiently opaque, and may ultimately compromise on user experience while undermining their own security.
“There are liveness techniques that require some interaction with the user, such as a challenge and response, like a blink or head movement. But these tend to not only add friction to the user experience but also potentially instruct a fraudster on how he might try to defeat the mechanism,” he argues. “For example, a technique relying on blink detection might advise a fraudster to try to simulate a blink or use a video of their victim that includes a blink.”
Standards
The standard for presentation attack detection (PAD) is set by ISO/IEC 30107-3:2017, which stipulates a standard review lifecycle of every five years, and sets out the “principles and methods for performance assessment.”
Independent third-party testing to the ISO/IEC 30107 PAD standard is performed only by iBeta and the UK’s National Physical Laboratory (NPL). Few other laboratories, including the Swiss Center for Biometrics and the Idiap Research Institute, provide biometrics testing, and NIST and the FBI provide certification for certain standards, but not liveness testing according to the ISO/IEC standard.
The FIDO Alliance also provides PAD test procedures, with iBeta the first lab certified to perform it.
“While ISO 30107 provides a process for testing liveness performance, it leaves it to the market to set performance thresholds for a given application, and this is what the FIDO Alliance has done in their biometric performance certification spec,” Benini explains. “But labs are also providing different testing services and reports that ‘certify’ that the test was performed in a 30107-compliant manner, regardless of the performance outcome.”
Further, identity concealment attempts are the primary PAD concern for onboarding applications, rather than impersonation attempts. Because the former does not necessarily involve what is called in the white paper a “genuine biometric reference sample,” the range of potential spoofs which must be detected is much broader, according to Aware.
Testing results, particularly presented in brief, do not necessarily capture such nuance, Benini argues.
Testing and certification
IAPMR (Impostor Attack Presentation Match Rate) measures the ability to detect presentation attacks on an existing biometric image. This statistic, therefore, is “not relevant” to onboarding, according to the white paper.
APCER (attack presentation classification error rate) and BPCER (bona fide presentation classification error rate) are more analogous to FMR and FNMR in biometric matching, the white paper says, and therefore important to a full understanding of how effectively a liveness technology has performed. Because they measure false positive and negative error rates in classifying spoofs, APCER and BPCER are particularly important for onboarding applications where authentication is not performed.
“As I mention in the paper, I think that 30107, FIDO, and the labs are all contributing greatly to helping making sense of this technology. But the certifications really need to be considered as just one factor in a product assessment,” Benini contends.
“For example, as we’ve seen with some results reporting, An APCER can be reported as perfect, with no spoofs missed. But if this result is achieved by artificially setting thresholds to do so, the BPCER might be quite high. A BPCER of 30 percent, as we have seen reported, means that genuine users will experience false positives 30 percent of the time. Those settings are not feasible for a real deployment, and so the APCER result isn’t terribly meaningful in this case.”
Additional considerations
Benini also points out that like biometric matching, liveness needs to work in a variety of light conditions, and with a variety of different faces for real-world applications. These variations should ideally be, but are not necessarily always accounted for in the testing process.
Browser-based liveness detection is increasingly in demand, according to the white paper, to increase the convenience of the technology by removing the need to install an additional mobile app during the onboarding process.
Ultimately, Benini suggests that rather than outsource the entire process, banks can do their own research to try to proactively identify potential weak spots, as they may do with any other security check. They should also consider the use case carefully, and determine whether they need to train or configure the algorithm to optimize it for defense against a certain kind of attack, he advises.
Aware is planning to talk more about how its customers are using Knomi for authentication and onboarding, and how liveness detection comes into play in different scenarios, according to Benini. The rest of the industry, and companies in many verticals relying on secure online identity will also be discussing biometric liveness, as the technology increases in prominence and importance.
Article Topics
Aware | biometric testing | biometrics | fraud prevention | iBeta | identity verification | KYC | mobile device | National Physical Laboratory | spoofing | Swiss Center for Biometrics Research and Testing | white paper
Biometrics testing is, indeed, a challenge. However, much has been learned over the past year-plus that is exceptionally valuable, and that can be used to make a much more objective assessment of a vendor’s performance claims. Although a start, the FIDO “certifications” are, so far, not advancing the state of confidence for the market. When the “passing” metric is to allow one in five spoofs to get through, a false sense of security is created, and with the next inevitable breach confidence in biometrics is dashed.
While nothing is perfect, and the hacking landscape continues to evolve, with rigorous yes/no testing parameters either a biometric works or it doesn’t. In any lab-oriented test, there are always compromises, but those sanctioned labs are the very best bets to make an assessment, if for no other reason than they are far more aware and prepared than any other organization to take on and make a public judgement on a biometric’s effectiveness. I, personally, wouldn’t try to recreate a UL test for my wall socket…
To say that it’s recommended an organization rely on their own internal testing – particularly after saying how challenging it is – doesn’t quite sit right. What they *can* do is supplement the sanctioned testing in environments that are outside of what a lab can provide. This is a usability issue, not a security issue. After determining a product performs as advertised, it should only then kick off a small POC that puts the solution into the wild to see just how it works in various lighting and environmental circumstances.
To suggest an entity like a bank – which is *not* in the security business – make adjustments to a biometric is puzzling at best. Unless that organization has a full stuff dedicated to biometric security *development*, it’s like asking the owner of a Tesla to dive into their batteries to see if they can eek out a few more miles. This is not a DYI industry.
Regarding impostor attacks, of course that is not *directly* related to liveness detection. However, attempts to create fake accounts using non-human objects is a well known approach. For example, one can – today – use a Styrofoam bust to enroll in Windows Hello that will then allow all subsequent logins with that artifact. Beyond identifying a live/non-live entity, the solution must *also* have exceptional image matching capabilities to ensure that the user is both alive and correct when requesting access. If the process detects a non-human artifact, the process should stop. If there is no match, the process should provide only 2-3 more attempts.
This industry appears to be going through another infancy stage with a bevy of young, progressive companies taking different approaches to long-standing problems. Let’s hope this pressure from within and from the marketplace clamoring for better solutions makes an impact on performance, vendor responsibility and transparency.