Biometrics use an individual’s unique biological identifiers to verify his or her identity. This inherence-based authentication presents an ideal enhancement to possession-based (something only you have) or knowledge-based (something only you know) authentication. Nevertheless, biometric authentication is susceptible to “presentation attacks” such as spoofing, that attempt to defeat a biometric verification or identification process. The execution of the presentation attack will vary based on the biometric modality; that is, whether the biometric technique uses fingerprints, face, iris, voice, or keystroke biometrics.
Some modalities are harder to spoof than others. Furthermore, fraudsters will use different spoofing techniques for each modality. Therefore, the mechanisms required to detect spoofs and other presentation attacks must also be specifically designed for the modality.
Liveness detection is useful not only for authentication but also for identity proofing. Where biometric authentication involves verification that the user is the same person who initially enrolled, biometric identity proofing can be performed as part of an onboarding process to verify that the applicant is in fact a real person. An example is using a mobile banking application to apply for a new account. The person is not known to the bank, so liveness detection can be used to confirm that the applicant is not trying to open a fraudulent account.
What is a presentation attack?
A presentation attack is any attempt to interfere with the intended purpose of a biometric system. Spoofing is a type of presentation attack.
A fraudster might use spoofing attacks to impersonate someone in order to defeat biometric authentication mechanism . For example, to spoof a facial biometric algorithm, they might attempt to use a non-live image such as a video or photograph to impersonate a targeted victim. For fingerprints, , they may use a “gummy finger” created by casting the fingerprint in clay.
Another type of presentation attack entails attempting to disguise a true identity to avoid being identified in a biometric search. An individual might grow out facial hair or wear makeup and prosthetics that alter their appearance, which could help them trick a one-to-many biometric search. Alternatively, they might attempt to mutilate their fingertips. Either scenario would potentially allow them to enroll more than one identity.
For the purposes of biometric authentication on an Android smartphone, Google differentiates between “impostor” attacks and “spoof” attacks, with the former being an attempt by a fraudster to impersonate the victim by disguising his or her own features, and the latter by using a non-live representation such as a video or audio recording. Google sets metrics for attack detection, with a threshold of 7% accept rate or less for strong security; that is, the percentage of times an attack is not detected. This is analogous to a biometric “false accept rate”, which represents the likelihood that a person is incorrectly identified as a biometric match.
What is liveness detection?
Liveness detection is any technique used to detect a spoof attempt by determining whether the source of a biometric sample is a live human being or a fake representation. This is accomplished through algorithms that analyze data collected from biometric sensors to determine whether the source is live or reproduced.
There are two main categories of liveness detection:
Active: Prompts the user to perform an action that cannot be easily replicated with a spoof. It might also incorporate multiple modalities, such as keystroke analysis or speaker recognition. The latter may analyze movement of a mouth to determine liveness.
Passive: Uses algorithms to detect indicators of a non-live image without user interaction. Capture of high-quality biometric data during enrollment improves the performance of matching and liveness detection algorithms.
One or the other may be preferable in certain scenarios, but they generally work better together.
Facial recognition and liveness detection: An example
Facial recognition is an ideal biometric modality for mobile authentication. It is intuitive and adaptable to most mobile devices, with widespread camera integration in commercial devices. It works with a familiar “selfie” pose. However, the widespread availability of digital facial images via social media makes facial biometrics more susceptible to spoofing. For this reason, it is critical to apply robust liveness detection for mobile biometric authentication solutions that use facial recognition.
In facial recognition, liveness detection is used to distinguish between a live image and a 2D printed, 3D printed, or digital representation of a user’s face. Other spoof attempts may involve the use of a 3D mask. Spoof attempts can be detected through algorithms that recognize artifacts of a non-live sample, and may use “active” measures, such as a second modality (e.g. keystroke analysis or voice). Liveness detection methods significantly reduce the effectiveness of spoofing and other presentation attacks.
Aware products for liveness detection
Knomi: Mobile authentication framework that supports active and passive liveness detection for face and voice.
Learn more about Aware’s portfolio of biometric products and services.