Winks, Blinks, Smiles And Poses: Which Is Better At Anti-Spoofing?
A wave of consumers and enterprises are turning to bio metric authentication to improve the outmoded login process that relies on vulnerable username/password protection. Early enterprise adopters include financial institutions, forecasted to spend over $5 billion on bio metric authentication by 2020. And with the rise of IoT, already estimated at 6.4 billion devices, new keyboard less, compute form factors are coming to market, many requiring some form of bio metric authentication, another major factor in the rapid growth for face authentication.
As face recognition authentication becomes mainstream, we can expect increased efforts to breach this next level of security. Cyber criminals and hackers are busy looking for ways to ‘spoof’ face recognition to gain access to data locked in devices and apps.
Spoofing is tricking the face authentication hardware and software to think that the real user is logging in when actually it’s someone else holding a phone with a picture of the real user, or a video. This type of attack can include the complicity of the real user, or it can be carried out without their knowledge perhaps using personal photos and videos that are widely available online.
Fortunately, a number of companies, including Applied Recognition are innovating, integrating and evolving new anti-spoofing features within our products to increase security and stay a step ahead of hackers.
There are a number of ways to protect against a spoof attack, some more effective than others. The current approach is referred to as Liveness Detection, essentially creating a way to prove to the authentication system that the user accessing the app or device is physically present, and not a photo or video. How do you prove someone is actually on the other of the system? Ask them to do something and then see if they do it, what’s called a Challenge Response. The hardware sensors or software programs are looking for motion over the face. If they cannot detect the movement access is denied. This is referred to as a dynamic approach, since it’s tracking the trajectory of the face as it goes through a number of motions.
Dynamic motions for liveness detection
1. Wink – The system asks the user to wink or blink, tracking the eye motion.
2. Smile – The user is asked to smile, the system then tracks the change in position of different plotted points on the face.
3. Poses – Using the pose method requires the user to pose for a picture in a number of different positions. The system takes measurements of the various face points in the poses, creating a 3D model of the face. The geometry of a live face changes in these poses in a way that 2D photo cannot. This has proven to be the most effective anti-spoofing method defeating a still photo or a video of the user, with an error rate of just .3% in tests performed over the last few years.
Security Versus Ease of Use
Of course there are trade-offs with anti-spoofing. Just as remembering a strong password is harder than remembering a weak one, asking the user to go through 4-5 poses greatly increases security but makes the login process that much longer. Consumers with personal devices and apps will likely decide they have enough protection with a single, straight-on look into the camera that takes milliseconds to unlock. Enterprises that face a larger threat of data breaches will likely go with stronger anti-spoofing steps. And financial institutions who need to meet more stringent requirements for processing new accounts and transactions will go even further combining face authentication and photo ID matching to add a new layer of security.
Face recognition solutions need to enable more granular control to provide for effective ratios between security and convenience to users of the system.
Taking the Offensive Against Hacking
We’re continuing to work on new ways to detect the difference between a person and a spoof, and getting into a position where we’re not just defending against hackers and cybercriminals, we’re actually getting proactive about defeating them from future attacks. to take it one step further. If our authentication program, Ver-ID™ Authentication, suspects a spoofing attempt, we can easily capture photos of the person making the attempt and alert the user, the systems administrator, or both, with the photo evidence of the attempt. This in itself is a significant preventative measure that will discourage such attackers. It is like having a video surveillance camera protecting your device. Privacy is still ensured since the photo is only captured during a spoofing attempt.
This is just one example of how the combined efforts of leaders in the biometric industry are leading to improvements in methods and results, paving the way for adoption of this new technology, and making the digital world a safer, more secure place.
For more information on face recognition find us at www.appliedrec.com