GUEST POST: Without Spoof-Proof Liveness, Biometrics Will Never Replace Passwords

The following article is a guest post by John Wojewidka, Director of Business Development, FaceTec.

GUEST POST: Without Spoof-Proof Liveness, Biometrics Will Never Replace Passwords

Fingerprint, and all other biometric modalities on mobile devices, have failed to replace passwords because they lack spoof-proof liveness detection.

So why is liveness so critical to biometric authentication?  First, we will need some context:

A biometric spoof uses an inanimate reproduction of the correct user’s characteristics (like a photo or a video) to fool a biometric sensor.

Spoof-proof liveness detection must verify that enough unique physical traits are present during biometric data collection to prove the user is a real human.

Identification methods that rely on reproducible biometric data (e.g., face or fingerprint), and do not utilize robust liveness detection, will allow users to be impersonated, just like when a hacker knows their passwords.

The biometrics industry is consistently improving on traditional metrics like FAR and FRR, but effective liveness detection hardware has remained costly, difficult to build and bulky, explaining why even the latest smartphones still have fingerprint readers and iris scanners without any liveness detection.

Past attempts at solving the liveness problem with software have also been lacking. “Blink to prove liveness” is a method still used today in several face identification apps, but it can be easily spoofed by drawing skin colored eyelids onto a digital photo and simply toggling between the two, creating an eye-blink effect. Amazon even patented blinking on command to indicate liveness for eCommerce transactions (please see: https://goo.gl/rKdsqn) but doesn’t use it; possibly because it can be easily spoofed.

Of course, every mobile biometric on the market today has its advantages and disadvantages. For example, fingerprint sensors are well-suited to opening a device quickly, but environmental factors like temperature and humidity affect performance. Infrared iris scanners are also fast, but have problems in sunlight as well as with glasses, and can be spoofed when a contact lens is placed over a photo.  None of these methods, nor future hopefuls like retina or even DNA, inherently prove liveness.

In addition, because new mobile security methods will potentially impact billions of users, each must then be objectively tested, and the results measured and benchmarked.  For ZoOm®, our mobile 3D face biometric, we turned to Underwriters Laboratories (UL) and their comprehensive Presentation Attack Detection (PAD) evaluation process based on the emerging ISO 30107 standard.  ZoOm is undergoing UL’s PAD evaluation now and will be one of the first-ever PAD-tested biometric authenticators.

Users are demanding more from mobile biometrics as massive breaches and hacks continue to grow year over year.  Before we can increase security and fully replace passwords, we in the biometrics industry must strive to achieve the ultimate goal of spoof-proof liveness detection.

John Wojewidka is the Director of Business Development at FaceTec (EST 2013), a leader in intelligent biometric authentication.  Download the latest ZoOm® 3D Face Login demo (V5.1.2) from the official Apple or Google app stores by searching for “zoom login” to see how FaceTec addresses liveness.  You’ll be able to enroll, authenticate – and attempt spoofs – as many times as you like!