Explainer: Biometric presentation attack detection and liveness checks
Biometrics as an authentication method have rapidly caught on not just for their accessibility, ease of use and being contactless, but for their precise security. Biometrics are, with some notable exceptions, unique, and although false positive matches can occur in any probabilistic system at scale, a malicious actor or a false positive is highly unlikely to receive access to that person’s services, accounts, and sensitive data with their own biometrics. But as with any security measure, biometric systems can be hacked.
A ‘presentation attack’ is a fraud attempt in which a bad actor acquires the biometric data of an individual and uses the data to grant access to a service they are unauthorized to access, manipulates data to do so, or uses a synthetic identity to spoof the system. Victims’ biometrics can be gained by hacking a database and copying biometric data such as voice files or fingerprint templates, or purchasing stolen data through the dark web. The copied data can then be used to access accounts and go through security measures unopposed. A bad actor could steal fingerprint data, replicate it as a fake fingerprint and pass fingerprint scans at a secured building, for example.
The need to protect against presentation attacks led to ‘presentation attack detection’ (PAD). A biometrics sensor can be built to automatically detect when a presentation attack is occurring and take appropriate defensive actions against it. PAD also extends to cases where people deliberately distort their biometrics to prevent an accurate record from being taken, such as damaging their fingerprints so a police fingerprint database will not have a proper record of them.
A subset of a PAD is the concept of ‘liveness,’ which senses whether the instance of PAD is involving a living being as opposed to a spoof of an image, recorded video, or a silicone fingerprint. Liveness distinguishes and analyzes for biometrics like anatomical details and reactions such as eye movements during a face scan to determine if the input is from a living subject.
PAD and liveness detection systems are either ‘active,’ meaning they challenge the user to perform an action such as move their head or the camera, or ‘passive.’
An international standard for PAD is provided in the form of ISO/IEC 30107. Part 1 sets out a framework for biometric presentation attack detection, part 2 with data formats, and part 3 with testing and reporting. Part 4 extends the testing profile to mobile devices.
National science authorities, including but not limited to the National Institute of Standards and Technology (NIST) in the United States can accredit laboratories to test the performance of vendor solutions against the ISO 30107 standard.
To provide a fair and unbiased analysis of the efficacy of PAD, independent testing labs are accredited to offer their analysis of how well a particular biometric system detects presentation attacks. Accredited labs are contracted by biometric algorithm providers to offer proof of the effectiveness of their algorithms, gain public awareness and market their product. The results of the testing are sometimes publicly released, but not always.
Attacks are classified according to their sophistication and divided into levels. Different PAD systems must evolve over time to defend against new attack techniques.
Any PAD system also must balance a fine line between being secure but not overly-sensitive, which would be inconvenient to the vast majority of legitimate users.
Click here for more explainers on concepts in the field of biometrics.