The rapid global adoption of biometrics for identification and access management by organisations of all sizes clearly indicates they are here to stay. Yet, until 3D face authentication technology became available in late 2017, 2D face recognition that matches two images was all that could be obtainable. 2D face recognition vendors promised security but without any proper third-party testing available, it was left to each organisation to perform their own due diligence.

The main issue is the vast majority of 2D liveness detection deployments on the market today can be easily fooled. Many so-called liveness checks are not secure. Asking a user to blink, smile or nod their head can all be replicated using photos, video playbacks, masks and even using AI models. These methods can simply bypass virtually all liveness check systems, especially when it comes to the digital onboarding process.

In today’s social media world, how to defeat a high-value system disseminates via dark web forums, creating a fraud nightmare for any company that has implemented sub-par liveness technology.

The advantages of 3D face mapping technology in fighting fraud

Without the sophistication of new 3D face-mapping technology, the 2D face recognition solutions have rarely seen any large-scale deployments, and those that have gone live - have still been plagued by fraud. A number of new digital only banks are suffering large-scale fraud attacks on a daily basis because fraudsters have found it far too easy to circumvent these systems with fake passports and stolen photos.

Identity theft is still the largest fraud practice and it is very hard to prove that an ID document captured via a camera is 100% genuine, so the only thing left to rely on is capturing a person’s face. That is where the problem lies for checking whether a person is truly real.

3D face-mapping contains 100 times more data points than a 2D photo, and are required to accurately recognise the correct user’s face while concurrently verifying their human liveness. This liveness check is especially critical in unsupervised authentication scenarios such as confidential account access management and high-value mobile transactions. It must be proven in real-time that the person requesting access is actually the correct user, not just a representation.

Proper third-party testing and certification is vital

The biometrics industry faces a reality check and a major challenge because many vendors have not fully solved the spoofing issues as they claim. Many software providers have not been independently verified and thoroughly tested by third party accredited testing labs such as NIST or iBeta. Moreover, until the NIST-certified, ISO-guided iBeta test, there was no recognised standard for performance claims and no transparency.

All buyers should be aware of these vulnerabilities and demand vendors have the viability of their anti-spoofing performance tested by third parties before they use them to secure their applications.

Without a validated ISO 30107-3 certification against cooperative user fraud, a system is not secure. It is not all about matching algorithms either, because there are minimal differences between the top and bottom performance levels. It is mainly about the number of data points and signals that can be attained during the capture process. That is where a 3D face map is stronger and nearly impossible to break.

Key distinctions to address

Some businesses are often unable to distinguish a modified recognition product from a true authentication solution, despite fundamental differences between the two. Some vendors are all too willing to overlook this which leaves customers and users with a false sense of security and unknown levels of risk.

However, biometrics development has begun to gain momentum, particularly for AI-driven applications, and significant gains in usability and security performance have not only raised the bar, but have begun to expose critical weaknesses in many of the legacy solutions in use today.

Businesses seeking biometric authentication technologies are rarely subject-matter experts, and without recognised standards and independent third-party verification they have little to go on when attempting to assess what biometric solutions will provide high-performance, long-term security for their particular use cases. 

Understanding the differences

The terms “recognition” and “authentication” are often used interchangeably by those not familiar with the differences. Authentication identifies a correct user through image-matching, but also concurrently verifies them as a real, live human. This has only recently been made possible by significant, AI-driven abilities that can observe numerous living human traits and characteristics in real-time and concurrently.

To understand the true nature of biometric authentication, it is a security process that relies on the unique biological characteristics of an individual to verify that a person is who they say they are. Biometric authentication systems compare a live biometric data capture to a stored, confirmed authentic data, held in a database or cloud. If both samples of the biometric data match each other, authentication is confirmed. But now, just matching captured selfies is not enough and more data reference points are needed to be assured there is not a representation or spoofing attack. 

Typically nowadays, biometric authentication is used in many scenarios, such as access to physical and digital resources; for example buildings, rooms, computing devices, mobile smartphone, and online accounts.

Systems that are sanctioned by a third-party certification have become vitally important nowadays because fraudsters are increasingly getting more sophisticated themselves in defeating authentication processes. Today, many biometric vendors have claimed they have solved spoofing or penetration attacks, but these claims are not backed up by any independent third party testing accreditations.

The importance of true liveness detection for authentication can become lost in the noise. One of the main challenges ahead is educating markets about what constitutes the integrity of a biometric system, including how to apply best practices for liveness detection.

The crucial role of biometrics in payments

Biometric technology is now playing a significant role in payments. Verifying all transactions in a two-factor process now falls under the remit of Strong Customer Authentication (SCA) within the scope of the EU Payment Services Directive 2 (PSD2). PSD2 is specifically designed to make payments more secure. However, both users and businesses alike will need to trust biometrics in the SCA process. If a biometric modality can be easily spoofed, then that could lead to a serious breach of the regulations, fines and a damaged brand reputation.

Crucial deadlines for the RTS-SCA to be met

The deadline for compliance with SCA is set for 14th September, 2019. If banks and ecommerce operators cannot rely on biometrics being as robust and unbreakable as possible, particularly with regard to high risk transactions, widespread adoption could hinder the whole biometrics industry if there are flaws in the technology which of course fraudsters will exploit.

However, there is far more pressing deadline and by 14th March 2019, banks must have their ‘dedicated interface’ (open APIs) ready for testing by PISPs and AISPs. In the Regulatory Technical Standards, (RTS) article 33.6 states that banks which aren’t ready for testing by this time must instead provide a ‘contingency mechanism’. 

Why take the risk?

Businesses live the cat-and-mouse security game and pay for it every day, but most are still unsure how to effectively use biometric technology because biometrics are still largely a “black-box” technology, poorly understood even by those who claim to be experts. Until the NIST-certified, ISO-guided iBeta test, there was no recognised standard for performance claims and no transparency.

Fully research the market

Therefore, considering what is at stake, this means with less than a few months to go, businesses must be ensure they fully research the market for the best fool-proof biometric modalities and liveness detection vendors that have been properly certified. Don't be fooled yourselves with all the wild claims that are banded around the industry. The outlay for putting things right in the future will be enormous if inferior biometric and sub-par systems are installed.

FaceTec's ZoOm 3D Face Authenticator solution is currently the only face bio product that has been awarded an iBeta/NIST/ISO 30107-3 global standard certificate for true liveness detection and anti-spoofing.  For more information, please contact me.

I am a regular speaker at biometric, fintech, banking and payment events. Contact me if you would like a presentation for your event.