What is liveness detection? A complete guide
Consumer demand for biometric and facial authentication technology is growing, with the facial recognition market worth almost $4 billion in 2020 and only expected to grow in the next decade.
With biometric authentication tech making such significant strides toward ubiquity, it’s vital that developers keep up with bad actors who might want to exploit vulnerabilities in the authentication process. One of the ways developers safeguard biometric authentication is with a collection of verification techniques known as liveness detection. But how does liveness detection work, and is it effective in preventing fraud?
A refresher on biometric authentication
For the uninitiated, biometric authentication and recognition technology describe any device or software meant to provide access to restricted devices by using a biometric source (i.e., a facial scan, retinal scan, or fingerprint) as an authenticator.
Apple’s FaceID and Touch ID are two common examples of this technology at work. Today’s smartphones can use a face check to allow users access to their devices without entering a passcode every time, making for a much more user-friendly experience.
Biometric authentication is popular for its convenience and efficacy, but, like any other authentication technology, it requires safeguarding from hackers and fraudsters. That’s where liveness detection comes into play.
What is liveness detection?
In bank heist movies, the actors work their Hollywood magic by using photographs, masks, and even fake fingers and eyeballs to open up biometrics systems on bank vaults. These specific kinds of anti-authentication attacks are known as presentation attacks or “spoofing,” and, like most things, they aren’t as effective in real life as the blockbusters would have people believe.
In the real world, fraud prevention experts combat spoofing using liveness detection. Also known as “anti-spoofing” or “liveness checking,” biometric liveness detection describes a range of techniques used by authenticators to ensure that their technology is reading a true biometric source - for example, an actual eye, thumbprint, or human face rather than a false or recreated image of one.
Criminals and defrauders are always looking for new ways to fool authentication technology, and that makes liveness detection a vital part of keeping data and other assets safe from unauthorized use. Liveness detection comes in a few different forms and, like the rest of the technological world, must constantly advance to keep up with new threats.
- Liveness detection is used to defeat presentation attacks, a type of attack in which a fraudster uses a fake representation of a biometric input like a face
- Though LD helps make biometric authentication more secure, it has its weaknesses, such as spoofing attacks from deepfake technology
- Deepfakes can fool some types of liveness checks, meaning LD alone is not a secure enough authentication solution
How does liveness detection work?
There are a few popular ways that authenticators use LD technology to combat presentation attacks. There are as many LD methods as spoofing attacks designed to counteract them, but these are a few of the most common examples.
Active vs. passive Liveness Detection
There are three main forms of liveness checking available today: passive, active, and hybrid. Passive liveness checks occur in the background without the need for user input, such as a phone facial recognition system that scans for the user’s face as well as natural movements like blinking to verify authenticity. These checks are often considered to be a more frictionless liveness checking solution.
Active liveness detection, on the other hand, requires some form of user input, such as placing a thumbprint on a scanner or following on-screen directions like tilting the head or looking from side to side. Hybrid solutions combine the two for a visible but less intrusive solution. Because of their more UX-friendly functionality, developers typically opt for a passive or hybrid liveness detecting method when possible.
Challenge and response
Challenge and response is an example of an active liveness check. A challenge and response check will ask the user to respond to prompts like blinking, moving the head, smiling, and so on. The idea is to defeat false representations like 2D photographs or video replay by having the user prove that they are a live person.
Depth and motion perception
When it comes to face recognition liveness detection, authenticators can use a 3D liveness check to map a user’s face and combat 2D spoofing attempts. 3D facial recognition can use depth perception to collect more information about facial expressions and subtle changes, making it harder for fraudsters to defeat.
Algorithms & AI
Many biometric authentication devices use algorithmic analysis to confirm whether a provided sample matches a preregistered sample. Biometric authentication improves with artificial intelligence and machine learning integration by automatically recognizing changes to an authorized user’s face, such as facial hair or glasses.
Requiring multiple biometric inputs, such as any combination of facial, retinal, vocal, and thumbprint scans, is one of the most secure ways to use biometric authentication. A highly specialized attacker may be able to fool one biometric authenticator, but it’s doubtful they will be able to fool two or more in the same attack.
Liveness detection and deepfake technology
“Deepfakes” are videos in which an existing subject is digitally replaced with someone else’s likeness, often with the intent of committing fraud or spreading misinformation. Though some people make deepfake videos of popular actors for entertainment purposes, they can also be used to fool a liveness test.
Security firm Sensity published a report this year explaining how they used deepfake videos to fool liveness checks in nine out of the top ten vendor’s identity tests. If an attacker is able to create a fake ID photo followed by a deepfake presentation attack, they can create fake accounts on a range of platforms, from crypto to dating to online banking. These phony accounts can then be used to commit other fraud attacks with lesser risk of consequences.
Deepfakes certainly pose a threat to liveness detection and facial recognition technology, but that doesn’t mean that there’s no way to defeat a deepfake presentation attack.
Location and device intelligence represent one method for detecting deepfakes–in this instance, fraud detection professionals can compare real-time location with a user’s past location behavior for any suspicious changes. Device intelligence can also be used to detect rooted or jailbroken phones along with the use of emulators, which would increase the risk that a deepfake is in use.
Research also suggests that deepfakes cannot fool facial recognition software with depth perception, such as Apple’s FaceID.
Biometric authentication offers businesses a combination of user-friendliness and security that many other methods don’t. It’s easy enough to forget a password, but the face, hands, eyes, and voice are all part of a person, meaning consumers won’t have to worry about forgetting them and locking themselves out of their banking app or any other critical account.
However, trust is a prerequisite to the wide adoption of biometric authentication. Part of earning that trust is showing business owners and consumers that the technology is resilient against presentation attacks.
The biometrics world is growing all the time, and some cybersecurity experts are already speculating about the possibility of a “password-free” future where biometrics replace alphanumeric passwords.
Whether or not that vision comes to pass, biometric authentication is here to stay, which is why it’s essential that developers implement a liveness detection SDK into any mobile or web app using biometric sources as an authenticator, as well as taking necessary steps to protect against deepfake and other presentation attacks.