BANDAR SUNWAY – When Apple FaceID first came out, videos and memes flooded the internet, finding ways to bypass the facial authentication system. Some have come up with creative methods, such as unlocking the phone using the owner’s face while he/she is asleep or displaying a photo of the owner into the camera.
These circumventive methods are called spoofing. While spoofing your partner’s phone is great for laughs and giggles, it is not the case for bank accounts and high-risk transactions, which increasingly rely on e-KYC for verification.
In 2019, Tencent’s Security Xuanwu Lab took spoofing to a new level. They have come up with a way to directly inject visual and audio information into the phone, bypassing many anti-spoofing techniques reliant on the phone’s camera.
This is where liveness detection comes into play. Liveness detection is the process of verifying if the biometric captured is an actual measurement made by the authorised live person. Simply put, it seeks to answer, “are you who you say you are?”
For the past few decades, innovators have developed reliable ways to collect biometric data and pre-process the information. More recently, the technological bottleneck was to find reliable ways to match user identity based on facial features by using artificial intelligence.
According to Yu Chen from Tencent’s Security Xuanwu Lab, however, relatively little academic research has been done on liveness detection, despite playing a crucial part in the biometric authentication process.
Here are the few existing methodologies for liveness detection:
|1. Imitative medium recognition|
This method searches for ways how the biometric data received can be doctored. The processes may include analysing the user’s skin textures, detecting motion blur on videos, or comparing reverbs within the audio.
|2. Interactive action check|
This method relies on the user performing specific and unique instructions during the e-KYC process, such as nodding and shaking their heads, opening their mouths, blinking, or saying particular phrases.
|3. Hardware solutions|
Rather than using software solutions, some devices rely on hardware for liveness detection. Examples include Apple Face ID’s dot projection system or time-of-flight (ToF) camera sensors deployed in several high-end smartphones.
While companies may be tempted to implement all or a combination of the methods above, they need to be aware of the tradeoffs being made for greater security. For example, not all users own iPhones or high-end phones with ToF cameras. Interactive action checks rely on users following on-screen instructions and also hinders user convenience and experience.
Hence, Imitative medium recognition would be the default option for most companies. Thankfully, there are many differences between real and fake biometric inputs that this method exploits.
For facial recognition, there are many visual tell-tale signs of spoofing attempts. Examples include distorted skin textures, camera focus blur and distance, HSL colour loss and screen frame rates. Escalated further, these methods may also reference the audio input, such as the surrounding background noise and reverb, to verify the authenticity of the biometric information.
As our readers can tell, imitative recognition methods heavily rely on device camera inputs to work. That is why Tencent’s security exploit of directly injecting visual and audio information into the device is both groundbreaking and terrifying at the same time. Fortunately, Tencent’s method requires specialised hardware and access to the user’s phone, difficult to secure under real-world conditions.
Here at WISE AI, we have strong internal research teams that are actively resolving these issues mentioned. With regards to using Deep Learning, much research and experiments are being constantly conducted in this domain. We always keep up to date with the latest technological innovations and news to develop reliable and secure solutions for our clients.