To combat the rise of identity fraud, organizations across industries have started implementing biometric (e.g., facial, retinal, fingerprint) scanning as part of their onboarding and log-in processes. In addition to innovating how companies verify and authenticate users, biometrics also lends to a more seamless user experience (like utilizing FaceID or TouchID on your phone instead of trying to remember multiple passwords).
While biometric technology has become more ubiquitous in everyday life, it’s not foolproof. We’ve all seen that movie where a professional thief uses a synthetic fingerprint to bypass a major security system. Online fraudsters, likewise, have a variety of options at their disposal (i.e., presentation attacks) to keep pace with the latest security advancements, making online identity verification and fraud prevention a never-ending game of cat and mouse.
What is liveness detection?
The answer, in part, to the vulnerabilities that exist in biometric scanning is liveness detection. Beyond just using facial, retinal, or fingerprint recognition as a means for identity verification, liveness detection goes one step further by determining whether the source of the sample is a live human being or a presentation attack, also referred to as “spoofing the system.”
Liveness detection can even be applied to voice recognition technology, as there is no limit to the number of vectors a hacker will infiltrate when attempting identity fraud.
Essentially, liveness detection utilizes AI-based algorithms to weed out presentation attacks, whether during an initial identity verification process (e.g., someone signing up for a bank account) or any authentication attempt (e.g., someone logging into their account). With facial recognition, for example, liveness detection leverages computer vision technology to more accurately detect whether the sample (either a selfie or video) is a real human face that also matches the identity document presented.
Active vs passive liveness detection
While solutions vary based on the type of biometric sample being considered, there are two main methods for liveness detection: active and passive.
Active liveness detection, as its name implies, requires active participation from the user. For facial recognition, this can include turning their head from side to side or up and down, which allows the scan to create a 3D map of the subject’s face through depth perception. This version of active liveness detection is ideal for combatting 2D spoofing attempts, where a fraudster may try to bypass a selfie prompt with a photo of the subject they are trying to impersonate.
Furthermore, active liveness detection is leveraged when asking the user to complete a task that cannot be easily recreated by a spoof or imposter (e.g., blinking or following dots on a screen with your eyes).
Passive liveness detection, on the other hand, is performed with little to no user interaction (i.e., a user can take a selfie without having to move their head). This is because passive solutions have developed algorithmic processes that can recognize a presentation attack based on a single frame of biometric data. Since passive detection works in the background and requires no action on the part of the subject, it is considered the more seamless, user-friendly of the two methods, and typically takes less time to verify the user.
There is also a hybrid version known as semi-passive liveness detection, which requires one simple, less burdensome action from the user, like having them smile in order to be verified.
Presentation attacks to consider
As noted above, there are several different methods that hackers and fraudsters use to spoof the system, which are evolving at almost the same rate as the methods developed to thwart identity-based fraud attacks.
Depending on the sophistication level of the biometric scan being infiltrated, presentation attacks can involve 2D or 3D (i.e., photograph or video) spoofing, as well as mechanisms for modification or replication (changing one’s facial hair vs wearing a synthetic mask). The least sophisticated attacks will typically involve the fraudster trying to bypass a facial recognition scan with a photo or video of the intended subject.
However, there are several more savvy methods that involve a variety of masks (whether made of paper, latex, or silicone), which attempt to create a 3D rendering that exploits a certain weakness in a biometric scan. Fraudsters use the same synthetic properties for retina and fingerprint scans, with the level of sophistication usually matching the level of access or amount of money the fraudster is after, as more advanced methods of spoofing tend to be more expensive.
For fraudsters looking to bypass video facial scans, the emergence of deepfake technology has played a prominent role. Through deepfakes, a person’s digital likeness (down to their facial movements) can be replicated and superimposed, allowing hackers to pass as their victims. As the quality of deepfakes continue to improve, even the most advanced liveness detection solutions will need to push innovation further, to better decipher what’s fake from what’s not.
As we evolve into an increasingly digital — and potentially password-free — society, biometric scanning for identity verification may become the norm. And while there is no one-size-fits-all approach guaranteed to thwart every presentation attack, there are a variety of methods your organization can implement to help detect when an authentic user is present or not.
In particular, when user experience is thrown into the mix, creating as little friction as possible is advised, which is why many industries are prioritizing passive liveness detection, especially for use cases where speed and ease are of the essence, like someone checking into a flight.
Regardless of how an organization plans to implement biometrics into its user onboarding process, liveness detection will only play a larger role going forward as fraudsters keep exploring new ways to spoof the system.