Biometric-based authentication is the future of access. From using your Aadhaar to avail rations to unlocking your phone via face/fingerprint, we live in a world where “you” are your password.
We've used biometrics for millennia. For example, a close friend's specific face, gait, and voice are biometric signatures that we instantly recognise. Today, we exist in a world where we are replicating our biometric intuition into automated digital security systems. The Achilles heel here is “spoofing”.
Spoofing is the act of duping a biometric authentication system into mistaking a replica of the person, for the real person. Technically called Presentation Attacks, spoofing is a real and growing danger, this could range from straightforward attempts like using a person’s digital photo to sophisticated 3D face masks.
You fall asleep in a taxi. After alighting, and after the taxi has left, you realise that you've left behind your mobile and your wallet. Can the taxi driver use a photo of yours to face-unlock your phone? Then, can the taxi driver install a lending app, use your ID to borrow money on your name into his account?
Face ID systems match our face with a reference image - this is called facematch. Facematch's conjoined twin is 'liveness' which prevents Presentation Attacks.
While determining the identity of a person, a biometric detection system
- Takes a biometric signature (for example the photo of a person’s face)
- Encodes the image into a biometric template containing unique pixel by pixel characteristics of the image (i.e.) the person’s face
- Prepares the template for comparison
- Retrieves reference data for comparison (such as a government-issued ID)
- Approves or rejects the authentication
There are several points in this flow where a malicious entity could corrupt the process (given in grey boxes). Predominantly, almost all of spoofing happens at step (a) - replay or synthesis input signal.
In popular imagination, the most obvious reason to spoof a biometric system is to steal some else's money. What is also very common is taking out a loan in someone else's name, or making a large purchase from someone else's credit card.
Liveness detection is the first crucial line of defence against spoofing. Gaining access into a system guarded by biometrics becomes impossible if the fraudster has to prove that he is a real person in front of the camera before presenting the spoofed biometric signature. A liveness detection system doesn't give the fraudster the chance to present your biometric signature if they don't prove their actual presence in front of the sensor.
A Liveness Detection System
A liveness detection system maybe easy to describe but hard to design, especially if it has to scale across users and use cases.
The coronavirus situation has catalysed the adoption of liveness detection in our lives to varying degrees. This ranges from asking people to switch on their video feed during a meeting to AI based authentication (aided by use of secondary data such as location and app usage behaviour).
For a practical liveness detection system that can be used for applications such as availing business loans, disbursing relief or even taking exams, it needs to fulfil three basic criteria.
- Technically robust
A livenesss system that is capable of distinguishing between a two-dimensional photo/video and an actual three-dimensional human face, is one that looks at the face as a whole image and takes every pixel in the image as an input, rather than just the relative location of eyes, nose, lips etc. This ensures that a lot of variations in the face can be handled seamlessly such as ageing, growth of facial hair, wearing a mask, or even burns.
2. User friendly
Traditional techniques require a person to perform gestures (‘smile’, ‘blink’, ‘turn left’, ‘track a point on phone’, ‘zoom-in’ etc). In reality, when a user is asked to perform those gestures, they may not fully understand the instructions causing poor UX, and resulting in lower conversion rates.
AI based liveness systems do not need to use 'gesture-liveness.' They can use texture instead. When a liveness system is presented with a picture of a face, can it tell if the picture is (a) of a person or (b) of another picture? It can, because the texture of natural skin captured in (a) is different from that in (b). This can be done so discreetly that the customer doesn't even realise that the system checked for spoofing.
If a liveness system has to work for 100s of millions of people, then it has to cater to markets where the vast majority of people own cheap Android phones (low camera quality) and data bandwidth is not consistent.
The Coronavirus case for Liveness
Attesting the liveness of an individual or business through methods such as Digital KYC and Video KYC will be a key part of everyone’s future. Given below are three examples of applications that will embrace liveness detection in the near future:
Education: Conducting Tests
While remote education has taken off, accredited testing has found it hard to cope with the coronavirus. Edtech startups can provide education, however, bodies that conduct and evaluate tests required for certification have not found many options outside of postponing exam dates.
In countries like India, when candidates cheat the system by sending a 'proxy candidate' in real life, the risk of mass impersonations in an online test environment is very real.
Liveness based technologies provide a way to remotely identify candidates and retain the integrity of the examination process.
International bodies such as the Graduate Management Admission Council (responsible for GMAT) and the Association of Chartered Certified Accountants have moved to conduct tests remotely. A candidate taking these tests will be monitored by someone through a live video feed assisted by a system of checks involving biometrics, artificial intelligence driven liveness, and recording.
Business: Financing MSMEs
Within the business ecosystem, MSMEs have been the worst hit. Although our government has moved swiftly to make significant funds available for small businesses, it should be wise to avoid the pitfalls of similar rescue missions that are failing abroad. A case in point is the US, which unleashed a vast amount of capital to assist small businesses, but is still struggling to distribute the capital on account of archaic manual processes.
However, it doesn’t have to be this hard. Countries like the UK are leveraging the expertise of lenders like Hitachi Capital to get capital to the ones that need it the most. The UK government is distributing loans through its Coronavirus Business Interruption Loan Scheme (CBILS) with partners like Hitachi by using a two-step verification system. AI-powered liveness cross-checks identification documents with a “live” video selfie on a web-based platform. Approval turnaround times have been reported to be as low as a minute. What's more, by leveraging liveness checks, fraudster with non-existent businesses or looking to spoof the identity of existing businesses are filtered from the process.
With over 6 crore MSMEs looking for immediate capital relief and the RBI directing the relief through a handful of government agencies, banks, and a few thousand NBFCs, automated liveness checks can ensure that businesses get relief and the quantum of Non Performing Assets due to frauds never occur.
Government: Providing Welfare
Apart from helping businesses, governments have more pressing larger-scale challenges to contend with: ensuring the poor have rations they need to tide over this period. A facematch+liveness check at a ration shop can improve the delivery system of rations by reducing impersonations.
Given the geographical distribution of hundreds of millions of people and the fact that we cannot use touch-based biometric data (because of social distancing), face biometric is the only solution. Not just Public Distribution Systems, all of the hundreds of government schemes that require ID check can be improved with facematch+liveness.
Even before COVID, some government bodies have used AI powered liveness in preventing spoofing in pension disbursal .
Liveness checks are here to stay
The great lockdown of 2020 has pushed us into a position where facematch+liveness systems will become crucial in remote identification. At HyperVerge, we recently enabled food delivery apps with AI based age and ID verification before purchasing alcohol on their platforms - a use case we hadn't imagined earlier in the year.
If your business or sector could benefit from a liveness detection system that has been proven at scale over millions of times, please get in touch with us! Unlike the unsuspecting prey of the mimic octopus in our cover image, agents who attempt to spoof your systems will not go unnoticed.