Facial recognition is here to stay for mobile authentication. It’s fast, easy, and familiar to anyone who has taken a selfie. And thanks to the universal appeal of the selfie, even lower-cost mobile handsets just about now have a front-facing camera. This is important because it means that biometrics can be used to strengthen the security of mobile authentication more broadly than can be achieved if we were to depend solely on device manufacturers, particularly in regions where lower-cost models have greater market share.
But what makes facial biometrics so convenient for mobile authentication is also a potential weakness, which is that the ubiquity of selfies makes them easy to “spoof” as biometrics; they can be more easily acquired and used to surreptitiously impersonate someone for the purpose of fraudulently accessing their devices and accounts. While modalities like fingerprint and iris inherently pose fairly substantial technical hurdles to spoofing, it is easier for a fraudster to acquire the facial image of someone in the form of a digital photograph or video. Without sufficient precautions in place, images of someone’s face can be used to impersonate someone simply by presenting an image or video of the victim’s face in front of the camera during authentication, perhaps even using the display of another mobile device.
This is why it is critical to implement strong liveness detection measures for facial authentication that recognize when a facial image is not a live, authentic selfie but actually a photo or video taken of the potential fraud victim. Approaches to spoof detection can be classified as either “active”, requiring interaction with the subject, or “passive” analysis requiring no interaction.
For example, an active approach might include display of commands to the subject to move their head, blink, or change their expression. These commands might be random and unpredictable. The software detects when the subject complies with the command. This hurdle makes it much more difficult to use a canned photo or video to spoof. A passive approach does not require interaction with the subject. Rather, analysis is performed on the image or video that can detect image features that make it suspicious, like frames around the face or inconsistency of movement between foreground and background. Ideally, both approaches are employed in concert.
When accurate, easy-to-use liveness detection features are in place and spoof detection is properly implemented, facial biometrics are a convenient and useful means to authenticate that effectively complement or even replace PINs and passwords. Aware includes advanced facial liveness detection in its PreFace™ Mobile SDK for facial image capture and analysis on mobile devices, which is in turn incorporated in its FIDO® Face Authenticator, part of Aware’s FIDO® Suite authentication solution.