Keep Someone from Fooling Your Face Recognition with Facebook Photos
A few weeks ago, a presentation, given by Yi Xu, True Price, Jan-Michael Frahm, and Fabian Monrose of the University of North Carolina at Chapel Hill, documented the vulnerability of face authentication solutions. Five vendors were tested and every one of them failed using straightforward techniques and publicly available photos.
By presenting their findings, the University of North Carolina team has done consumers and companies a great service by continuing to draw attention to true security vulnerabilities. At the same time, it is possible to provide face authentication solutions that address this vulnerability while maintaining the convenience and fun that face authentication / recognition offers.
Even with more than 10 million licenses in the field, my company’s FastAccess solution was not one of the tested solutions. But it wouldn’t have fallen victim to their hacking methods because Sensible Vision’s approach makes detecting a faked face (Liveness Detection) unnecessary. Our face recognition approach is highly secure while also striking the proper balance between speed, convenience, and transparency.
Sensible Vision is now in its 5th generation of anti-spoofing/liveness technology. Our patented techniques offer the fastest speed for face authentication and the best available protection from photo and video attacks while critically addressing all the major known weaknesses of Liveness Detection face authentication schemes:
1. They all can be defeated often with ease.
2. They don’t work under all conditions where people are likely to use them.
3. Most require 5-12+ seconds to operate, eliminating the speed benefits of biometrics.
Our approach uses two factors:
1. Something you are (your face)
2. Something you know (gesture/secret shape/pin/voice/fingerprint etc.)
And those factors are entered at the same time.A complete authentication takes just 1-3 seconds, making it by far the fastest method to prevent photo/video attacks. It’s also significantly more secure, providing all the proven and established benefits of Multi-Factor Authentication security without the added complexity and slowdowns common when using multiple factors.
All known liveness solutions have weakness and vulnerabilities.
The UNC presentation states that “several features could be added to these systems to confound our approach (of using publicly available photos to fool face recognition)”. They mention Light Projection, Pulse Detection, and Infrared Illumination. All security methods, in fact, are susceptible to being bypassed with enough time and effort.
1. Light Projection and Pulse Detection are highly dependent on both the proper camera and ideal lighting environments. These are very difficult parameters to control with different mobile devices and varying usage environments.
2. Infrared and 3D cameras work great with flat glass displays but are just as easily spoofed due to reflective differences of other materials. Ultimately infrared operation breaks down with a window or if they are used outdoors. The sun simply overwhelms the needed infrared detail.
SensibleVision has previously offered all of the Liveness Detection techniques included in their presentation, but has determined through millions of real-world interactions that our Simultaneous Multi-Aactor Authentication approach is faster, more effective, and more secure.
Empowering the user by publishing known possible vulnerabilities
Offering a secure solution is not enough. Good security software publishes known vulnerabilities and provides solutions. In the case of Autodentity, SensibleVision documents the likely conditions under which photo access may be possible in its product Help files and FAQs, along with specific recommended solutions such as the use of Simultaneous Multi-Factor face authentication when an attack is likely.
If Liveness Detection doesn’t work, why do vendors push it?
Based on customer/partner testimonials and market research, we believe that most of the existing vendors providing face recognition and face authentication are not yet sensitive to the need for a truly fast and secure user experience. More often than not fun, coolness, and speed trump security.