Active and passive liveness detection for biometric face authentication explored in ID R&D whitepaper
As biometric liveness detection technology advances, companies are struggling to keep up with developments sufficiently to understand the relative advantages and disadvantages of different offerings, such as active and passive liveness checks, according to a new whitepaper from ID R&D.
“The Important Role of Liveness Detection in Face Biometric Authentication and How to Choose the Right One for Your Use Case” details the background of increasing facial recognition use in identity verification for a range of applications, including logical access, financial transactions and onboarding, and the need for liveness detection to secure them against fraud attempts.
ID R&D Senior Vice President John Amein told Biometric Update in an email interview that “the majority of the companies we talk to are aware of liveness because it is essential in the onboarding process, required both by regulation and bank security.”
They might adopt and continue using active liveness technologies, if not for high customer abandonments rates, and the vulnerability that comes with making the mechanism obvious to potential fraudsters, he says.
The whitepaper explains that liveness detection is a process of detecting presentation attacks like photo or video spoofing, deepfakes, models or 3D masks, rather than a matching process. Active and passive approaches are defined and compared.
ID R&D notes abandonment rates for active liveness detection of up to 50 percent have been reported, defeating the purpose of a system meant to enable easy remote onboarding, but the alternative is not yet widely known.
“At this point most companies are not aware that a truly passive solution is now possible,” Amein states.
ID R&D launched its passive liveness detection technology last August.
Pros and cons for different use cases
Different active liveness detection mechanisms based on user responses to a challenge, such as moving a certain way, following an object on the screen, or moving the camera are noted.
Passive approaches include shining varying lights at the user, capturing short videos, examining a selfie, and hardware-assisted approaches like depth-sensing.
The potential drawback of using a single selfie image for passive liveness detection is that it requires a server-side component to perform the analysis. This does not present a problem for many use cases, including digital onboarding for banks, which Amein says stands out as the hot segment among a number of verticals.
Convincing customers that it provides a high level of security may more of a hurdle to overcome for some businesses.
“There’s huge skepticism that a single selfie can work!” Amein admits. “We laugh about this with people when we do demonstrations because they have a hard time believing it. Then we show them. Then they try for themselves using software we provide so they can test on their own databases of images. So far, the feedback we get is, ‘Your technology is amazing!’”
Onboarding new customers and accounts, securing digital customers, payment security and cardless access use cases are considered, and five key considerations for organizations evaluating liveness technologies are described in the whitepaper. Simplicity, environmental factors, cross-channel compatibility, and ease of integration and deployment are identified as things to think about when choosing which specific type of liveness detection technology to implement.
ISO liveness standard challenging
The final consideration set out by ID R&D is third-party testing, to the ISO presentation attack detection (PAD) standard. The company notes that iBeta Quality Assurance, which performed ID R&D’s Level 1 PAD testing, is the only biometric testing lab accredited for NIST’s National Voluntary Laboratory Accreditation Program (NVLAP). The company says it also plans to soon undergo Level 2 testing.
The whitepaper states only two companies have passed ISO/IEC 30107-3:2017 testing with active detection technologies, and two with passive detection technologies known to be certified or compliant so far.
“ISO 30107-3 compliance is a tough standard whether active or passive. Many companies have failed to pass because for Level 1, there is zero margin for error. Not even one spoof attempt is allowed through,” explains Amein.
“What’s also important to recognize is that passing ISO 30107-3 describes how strong the system is from a security point of view, but it says nothing about the user experience. There are systems that have passed, but they also cause customer abandonment because they can be difficult for the user to follow instructions and execute properly. This is why we see more companies choosing to partner with technology providers like ID R&D to bring a compliant solution to market that also delivers a great user experience.”
All face biometric solutions are vulnerable to sophisticated presentation attacks, the whitepaper concludes. Detecting these attacks without introducing too much friction into the process is the challenge for business implementing liveness technology, according to ID R&D. With an understanding of the options and how they apply to the business’ use case, fraud rates can be lowered without causing customer abandonment of digital processes.