Detecting face biometric liveness misconceptions
Liveness detection is making rapid advances in business awareness and adoption to bring security to biometric identity verification, as well as in effectiveness. The technology remains relatively poorly understood, however, both in terms of how it works, and in terms of what works well and what kinds of spoofs remain difficult to spot.
Deepfakes are an attention-grabbing threat, and this is all the more the case because they are more easily understood technology. They are only one in a wide range of presentation attack threats to biometric systems, however, all of which can be addressed if the right technology is applied in the right way.
The field is relatively new; leading liveness detection developer BioID has the longest experience in the market, having received a patent in 2004. Today liveness detection is increasing in importance as biometrics are adopted for ever-more services. Face biometrics captured as selfies taken on mobile phones may soon be the standard way for people all over the world to open a bank account, and many other applications are not far behind.
The field of liveness detection is maturing, in terms of technology, research, and the marketplace, as appreciation increases for its importance to biometric security, but misconceptions remain common.
From a brief review of the kind of presentation attacks attempted on face biometric identity verification systems, and the standards for technologies to detect them, businesses can get a clear idea of what they need to look for when selecting a liveness detection partner.
The attack ecosystem
Businesses experience many different categories of attacks, and each category breaks down into different types and versions.
Common presentation attacks actually reported in the field include images printed out or displayed on a screen, either as a still image or video. Masks, ranging from relatively simple two-dimensional cutouts to sophisticated 3D models.
Injection attacks, in which the camera is bypassed and the image is presented to the application by a virtual camera driver, can present a challenging type of attack related to liveness detection, as it will likely be interpreted as live, but can be prevented. Applications should consider blacklisting virtual cameras, implementing challenge-response mechanisms, randomized image capturing settings, and using native mobile apps rather than web applications.
Photo (or print) and video replay attacks are said by researchers to be the most common attacks found in the wild, due to the availability of source material.
More resource-intensive techniques like deepfakes do not offer the scale and cost-efficiency to be widely deployed in biometric presentation attacks.
BioID’s liveness detection system catches deepfake presentation attacks, and the company has been selected for participation in the German government-funded FAKE-ID project working specifically on deepfake detection algorithms.
Deepfakes remain more useful from a fraud perspective in different domains than presentation attacks, like social media trickery or spear-phishing. Effective liveness detection systems can spot differences invisible or barely discernable to the human eye that give them away. Accordingly, BioID research indicates that blinking detection, occlusion detection and image forensics can identify deepfakes, even among images or videos that appear highly convincing to human examiners.
The International Standards Organization and International Electrotechnical Commission (ISO/IEC) standard for presentation attack detection is 30107. Part 1 provides the framework, Part 2 covers data formats, and Part 3 sets out the standard for testing and reporting biometric PAD systems.
ISO/IEC 30107-3 sets a testing standard for tests of full biometric systems, so PAD tests are typically conducted on an iOS or Android device, or both. The standard requires that accuracy of the PAD subsystem is measured in attack presentation classification error rate (APCER) and bona fide presentation classification error rate (BPCER). It does not, however, specify accuracy thresholds for compliance.
The U.S. National Institute of Standards and Technology (NIST) evaluates laboratories for their capability to perform tests to ISO/IEC 30107-3, but is not the only organization that does so. Accredited biometrics testing laboratories also include the Idiap Research Institute in Switzerland, TÜViT (TÜV Informationstechnik GmbH) in Germany and French labs Fime, Elitt and Leti.
There even continues to be confusion in the market about what these labs confer. Passing a test to the ISO presentation attack detection standard results in “confirmation of compliance,” rather than “certification.” It also does not include deepfakes. The standard ensures that any system that has been confirmed for compliance by any of the accredited laboratories follows the ISO/IEC standard, and meets its threshold for presentation attack detection accuracy.
This means, for instance, that BioID’s ISO/IEC 30107-3 compliance confirmation for Level 1 and Level 2 from TÜViT is equal to any other qualified independent lab’s attestation of compliance to the international standard.
There are also other standards, such as those from the FIDO Alliance, but they are also aligned with the ISO standard.
The confusion around presentation attacks and PAD technologies are understandable, given the relative newness of the technology, and the continued success of fraud attempts against digital services. The leading biometric PAD systems on the market, properly implemented, are highly effective at defeating spoof attacks.
As in other areas of biometrics, transparency is crucial to understanding, not just among the general public, but also customers. Robust liveness detection algorithms can now detect presentation attacks at near-perfect rates, and independent testing provides a starting point for customers to find the PAD solution that will work for them.
Though the ISO standard does not specify accuracy requirements, testing labs and vendors publish this information, which customers can inquire about for further guidance.
BioID works directly with both banks and identity onboarding and authentication providers worldwide to help them secure identity verification processes from fraud with robust liveness detection technology.
As both PAD technology and the market mature, it is incumbent on technology providers to communicate transparently with the wider community about both the threats to biometric systems and liveness detection advances, in the interest of reducing fraud.