Over the past decade we’ve had numerous reminders of the weaknesses of passwords, yet we still continue to rely on them for digital security. Just consider the Compilation of Many Breaches (COMB), the largest data leak to date in which more than 3 billion unique sets of login credential were shared online, and it’s easy to realize why passwords are quickly becoming a relic of a bygone era.
So it’s no surprise that over half (51.7%) of Americans prefer biometric authentication over passwords. Facial recognition portals increasingly protect our digital payments and physical access control; iris recognition is used for national ID programs and defense; speech verification is used for multi-factor authentication (MFA) by phone and by disabled persons to access a multitude of applications securely; and fingerprint scanners continue to be leveraged for personal hardware protection, door access and border identity control.
As the world steadily moves toward a more biometrically secured digital environment, these systems must be paired with advanced anti-spoofing to ensure faces and voices don’t become as hackable as passwords. While a hacked password can have negative consequences, it can be changed within seconds — someone’s face, not so much. Companies at the forefront of biometrics innovation must pursue anti-spoofing as a non-negotiable component or risk eroding confidence in biometric security as a whole, and in consequence, its adoption.
The dangers of spoofing
We can think of spoofing as impersonation and, just as with passwords, we’re rapidly seeing much more advanced methods of spoofing taking place. Deepfakes now enable the creation of false videos and speech in a credible, realistic format. Voices can be digitally synthesized with software anyone can buy and fingerprint scanners have had to advance meaningfully to adapt to battle a variety of spoofing methods.
The core of all anti-spoofing technology is detecting liveness, to determine if the input media being analyzed is that of a real person, and the right one. Different biometrics technologies carry out this verification in their own respective ways, each employing a growing array of detection methods that ensure spoofing attacks are identified quickly and efficiently, across use cases.
Facial recognition spoofing threats
There are three main ways imposters are attempting to spoof facial recognition systems today. The least sophisticated approach consists of placing an authorized individual’s photo in front of the camera. Almost any recent solution will detect the absence of facial movement. Showing video instead of a still picture is the next logical attempt, but depth-sensing cameras easily detect the subterfuge, which is why we occasionally see the use of sophisticated 3D masks that show the facial features of the authorized individual in a realistic shape.
Facial recognition has an advantage over other biometric identification technologies in that it can be performed as well with simple 2D webcams or security IP cams as it can with sophisticated 3D cameras equipped with the latest laser or infrared technologies. Specific use cases or constraints as varied as cost, location, form factor and speed inform camera decisions that directly impact the availability of anti-spoofing options and their performance.
Two-dimensional cameras can catch spoofers through interactive measures such as performing a set of motions randomly chosen by the access computer before being granted access, as well as non-interactive measures which are unique to each solution provider and its artificial intelligence (AI) algorithm.
Three-dimensional cameras on the other hand, perform depth detection, precisely identifying a spoofing attempt within a few milliseconds. Three-dimensional cameras generally provide a superior experience, but they are costlier, while 2D alternatives can also provide accurate anti-spoofing at a fraction of the cost, wherever a small delay is acceptable. Costs and size of 3D cameras are rapidly going down and a new generation of time-of-flight sensors can be attached to 2D installations, adding depth detection at a fraction of the cost of new 3D devices. The development and availability of inherently superior 3D-based solutions has grown massively in recent years and has made this technology very accessible.
The more advanced attack method, use of a physical 3D mask, requires a software-based defense. Advanced facial recognition systems leverage AI anti-spoofing technology to analyze for natural facial movements and determine whether the face in front of the camera is displaying expressions or emotions as a natural human face would. Facial recognition engines process such a massive amount of data that even a well-made 3D mask has many tells in the form of highly specific facial vector data that contrasts to that of a real human face. In this relatively new field, tests that hold facial recognition software to rigorous anti-spoofing standards are available and help in choosing a secure solution.
Iris recognition anti-spoofing
Attempting to pass an iris recognition solution can range from simple presentation attacks like using a photo of an accepted iris, to more advanced techniques such as the use of cosmetic contact lenses or an artificial eye duping the iris patterns of an accepted individual. Researchers have even found that using the eyes of a deceased individual can pass many iris recognition solutions within a few weeks of the individual's passing.
To protect against these advanced attack methods, many iris recognition solutions integrate both sensor-level (hardware) and feature-level (software) defenses. Sensors seek to capture specific elements that can differentiate a live eye from a fake or deceased eye. These include seeking out proof of organic properties such as tissue, fat and blood within the eye, or the pupil’s natural response to triggers like light.
Defending against the use of cosmetic contact lenses continues to be the point of the most research in the space as it’s extremely challenging to detect when being used on a real eye. Recent studies have investigated new anti-spoofing methods that can measure the depth of different parts of the eye, as well as reflective techniques which observe how light reflects against the eyes with or without cosmetic lenses.
Speech verification spoofing attacks
Speech or voice spoofing attempts typically fall within the following categories: recording or replay, speech synthesis or voice conversion. In all these cases, digital tools are leveraged to either capture, create (in the case of deepfakes) or adjust a real human voice. Thankfully, doing so leaves minute evidence that advanced systems can recognize.
To detect liveness and protect against replay attacks, speech verification engines can leverage trained neural networks to analyze the vocal features and pick up on the evidence of digital tampering that is invisible to the human ear. A growing library of standard datasets and metrics are aiding the industry in creating engines that can more accurately compare live human voices to those tampered with in any way.
Fingerprint scanning anti-spoofing
Fingerprint scanning is known as the least secure of the biometric technologies available today, yet it remains the most popular in adoption thanks to its relatively minimal hardware requirements and lower cost to deploy. The wide use of fingerprint scanners globally makes secure anti-spoofing an equally critical consideration.
Fingerprint spoofing is most frequently attempted by creating an artificial clone of the target fingerprint. Early fingerprint scanners were easily bypassed with these attempts, however escalating research in the field has yielded several advanced anti-spoofing features that can be divided into hardware-based and software-based approaches.
Hardware-based approaches analyze the temperature and electrical properties of the finger to assess liveness. Software-based approaches leverage techniques closer to those discussed in speech verification where the software detects for specific traits of liveness. For fingerprints, these include sweat pore and perspiration detection, skin-formation detection and image-quality detection.
Setting an industry precedent
Biometrics are inarguably the future of modern security thanks to their incomparable accuracy. However, their adoption has not come without reticence and it’s critical to recognize and address that anti-spoofing is core to widespread adoption of biometric security tools.
Huge resources are being dedicated to research in this field, yet a lack of regulations in the industry means private companies selling biometrics solutions can implement as much or as little anti-spoofing protection as they like.
The biometrics industry must commit wholeheartedly to the continual improvement and implementation of anti-spoofing features since the password hackers of today are already becoming the biometrics hackers of tomorrow. It’s critical that the industry remains steps ahead so the world can continue to benefit from the incredible security capabilities that biometrics offer.