With FaceTec having become the first company in the world to attain Level 1 certification for its authentication solution in iBeta’s Presentation Attack Detection evaluation program earlier this year, and having more recently seen that solution integrated into Jumio’s high-profile Netverify service, there was much to discuss in our latest interview with FaceTec CEO, Kevin Alan Tussy.
In Part One of his discussion with Mobile ID World Managing Editor Peter Counter, Tussy talked about the importance of liveness detection, the emergence of standards around this kind of technology, and the complexity of evaluating such systems. Now, in Part Two of this in-depth interview, Counter and Tussy delve into the issue of how high to set the standards for evaluation – a matter of great importance, given the growing need for strong liveness detection in today’s security landscape. And they talk about the importance of education when it comes to the once-esoteric world of biometric technology, with FaceTec having just published a very comprehensive and accessible white paper breaking things down for security-conscious individuals in need some clarification about liveness detection and standards testing.
Read Part Two of our interview with Kevin Alan Tussy, CEO, FaceTec:
Peter Counter, Managing Editor, FindBiometrics & Mobile ID World (MIDW): It’s interesting how it does take a great deal of imagination to try and test these kinds of things. The iBeta test specifically has about 1500 individual spoof attempts where they try to break an authenticator. And just the idea of trying to come up with that many different ways to try and break a security system seems like a daunting mental task, let alone when it comes to physical implementation. And on top of that they have to prove that it still positively authenticates at the end of it.
Why is it important to set such high standards in biometric authentication? You mentioned that many vendors have tried this test and I think that some people have complained that it is too rigorous for consumer authentication. What are the risks of relaxing the testing?
Kevin Alan Tussy, CEO, FaceTec: Well, simply put the iBeta test mimics the attacks an authenticator will face in the wild. These days social engineering and phishing are often the path of least resistance for the bad actors to gain access to accounts. The ISO standard takes these threat vectors into account, while in the past most biometric vendors haven’t. They assumed that users’ biometric data, of suitable resolution and quality to fool their system, was not available publically, or couldn’t be captured in a nefarious way. So to keep myself secure, I’d have to make sure I wear gloves everywhere, or not touch anything, and make sure nobody gets a close-up photo of my face or even my hand, like what happened to a German government official. This isn’t practical, it doesn’t work in the real world and it’s irresponsible for companies to expect users to act this way. However, if an authenticator has robust Liveness Detection it doesn’t matter if your photo is up on Facebook or you have a video on YouTube, or you’ve got fingerprints on your phone screen or the water bottle that you just drank from.
For most people the only biometrics they have ever used are decentralized fingerprint sensors, meaning the biometric data is stored on the device and 99 percent of the security is provided by the fact that the bad actors don’t typically have access to the device. There are billions of fingerprint sensors in use, but they have zero Liveness Detection. Gummy bears fool them…When used for convenience on a device that hackers don’t have access to, this is an acceptable risk for most people.
The real issue comes when biometrics are used for unsupervised authentications in centralized systems, similar to how passwords are used. No specific device is required, and bad actors could potentially gain access from any device. This is when Liveness Detection is critically important, and it’s why we have seen many decentralized biometric sensors proliferate, but almost no centralized biometric systems are in use. It all comes down to Liveness Detection.
The authors of the ISO standard clearly understand this, and it’s why the iBeta test ensures proof-of-life at the time of matching.
In our spoof lab at FaceTec we have many tens of thousands of different physical spoof artifacts that we’ve printed, built or bought. We have 3D printed masks covered in makeup, masks made from the scans of user faces, and we’ve trained our algorithms at Madame Tussauds Wax Museums. This is the level of commitment that it takes to achieve a Level 1 certification. For us it took about four years of data collection, and we still have spoof attempts coming in from testers all over the world. Hundreds-of-millions of face frames from spoofs and real people from 158 countries – all different ages, ethnicities, genders, skin tones, and every combination of those we can get. That’s what it takes to train an algorithm that’s intelligent enough to know when it’s looking at a real live person and when it’s not.
As humans we take it for granted, because we are so great at identifying whether or not we are looking at a photo, a video or a real human being. In Hollywood it’s called the Uncanny Valley. Studios spend millions on special effects to create a Jar Jar Binks-type character, but you still get this feeling that it’s just not right – that’s the Uncanny Valley. Humans are very good at deciphering natural from synthetic, and we’ve trained our ZoOm algorithms to be as good as the best people are, and much much better than the average person is at identifying human liveness traits from video frames.
To make ZoOm work, we look at about 50 different human liveness traits. These include reflections in the eyes, texture of the skin, texture of hair and eyebrows. And we look at micro movements in the eyes and eyelids, and we look at the 3D depth of the face with our patented ZoOm motion. This allows us to map the depth of the face based on the perspective distortion that the camera is seeing.
They are many, many layers to the liveness algorithms we’ve created so that they work on mobile phones, tablets and webcams, just like passwords would. No one has ever had to ask if your device supports passwords; of course it does, passwords are universal and this is why they persist. At FaceTec our proprietary 3D FaceMaps also work cross-platform and cross-device, making them a suitable replacement for passwords. By cross-platform and cross-device, I mean that I can get access to my bank account by enrolling on a laptop; I simply look at the camera and perform a quick ZoOm session. The resulting 3D FaceMap is encrypted on the device and then uploaded and stored securely on a server. Later, when I want to access my account from my smartphone, I can do so easily using the FaceMap I previously enrolled in from the laptop. Same goes for if I break my phone and get a new one, or I want to add a tablet. When considering all of these factors, ZoOm is about as universal, secure and frictionless as biometric authentication can get.
Read the new FaceTec White Paper: Standardized Anti-Spoof Testing – Cutting through the hype and finding integrity in biometrics
MIDW: There’s something so intriguing about teaching a machine to recognize the Uncanny Valley. It’s fascinating. Going back to the white paper. Producing a white paper indicates that educating your clients and the public is a priority in this area for you. Why is education about biometrics so important right now?
Kevin Alan Tussy, CEO, FaceTec: Yes, it is indeed very intriguing. Just think about the “Reverse Turing Tests” well known to us all as “CAPTCHAs.” For decades we’ve been trying to prove to the computer that the user is really human. They eventually devolve into a cat and mouse game with the bots and have to be changed, but with biometric Liveness Detection we have made such a giant leap past CAPTCHAS that bots have no chance, and we’ve added user identity verification as well.
As far as education goes, I think more OEMs will move towards using 3D face authentication to unlock smart devices, and with that educating the public and the media on Liveness Detection becomes quite important. But we know the media will always sensationalize biometrics, and all the users really care about is getting solutions to the password problem that actually work. It’s up to the organizations who choose what authenticators consumers will have access to, to make wise selections… And to do that they must know the differences between on-device and server-side, decentralized and centralized biometrics. They need to understand the difference between 3D depth detection and Liveness Detection, and they need to know that standardized anti-spoof testing exists and that they should demand certified solutions.
As we now move into this new age of ubiquitous biometrics, we need everyone to understand that Face Authentication is not “Facial Recognition”. Very few people can actually tell you the difference, and we need to ensure that regulators don’t conflate face authentication, which protects user privacy, with facial recognition, that could potentially compromise it.
I think that as we continue to reach the users, people will start to see the difference between what they are allowed to do with a fingerprint or with a ZoOm. With a fingerprint reader I might be able to check my balance, but with ZoOm I could instantly wire $10,000, or I might be able to get a new mortgage from my couch. So many of the businesses that are coming up now – the challenger banks, the sharing economy services – they don’t have branches where customers can show up in person and shake the manager’s hand and show them their ID. They need to be able to trust an unsupervised biometric authentication to create that trust for them. They need a biometric authenticator that can stop phishing and complicit user fraud, and that is exactly what the ISO standard is saying.
We know that more education is needed because we hear a story like this from almost every inbound lead: “Our Marketing Department said: We love the XYZ face login solution. It’s so easy, the users just blink and they get in!” And then the Security Department does some testing and says: “We can’t roll this out. We’ll get robbed blind.” As a result, they go looking for a new vendor like us. It’s unbelievable how much inbound we get from organizations who have done internal spoof testing against some other biometric vendor. These organizations are our biggest and best customers. So while much of the biometrics industry’s sales rely on lies of omission, at FaceTec education and transparency are our biggest sales tools.
But it’s not enough for us just to educate, we have to provide a product that works so well that organizations will deploy it. When you see something like Face ID, it took an enormous investment from Apple, a thousand engineers working for many years to build a specific piece of hardware that provides 3D depth so that it wouldn’t be fooled by a photograph. But Face ID is a decentralized on-device solution, it’s not cross-device or cross-platform. The biometric data is still locked in the device and the upside is severely limited. Once users finally get a secure centralized biometric authenticator they will understand why certified Liveness Detection and server-side matching are both required to replace passwords.
MIDW: It’s such a huge paradigm shift. It’s kind of amazing that you have clients who now know the importance of Liveness Detection because five years ago we didn’t even have biometrics on our phones at all!
Kevin, thanks for taking the time for talking to me today and congratulations on your white paper, your certification, and everything else happening with FaceTec.
Kevin Alan Tussy, CEO, FaceTec: Thank you Peter, we love talking to you guys, thank you for taking the time.