What Is Liveness Detection? Preventing Biometric Spoofing

Javed Shah

Liveness detection is a biometric authentication process that verifies whether the user is a live person or just a spoofed artifact. Liveness detection is crucial in preventing security breaches and fraud in biometric systems–an increasingly real threat.

What Is Liveness Detection and Biometric Spoofing?

Biometric spoofing refers to deceptive biometric authentication attempts by presenting fake samples related to fingerprints, facial scans, or iris scans–a “presentation attack.” While biometric identification methods are significantly stronger than password-based systems, this does not make them invulnerable. Modern threats are evolving to bypass such protections. As such, many strong authentication requirements in compliance and regulatory standards require some form of liveness detection that can determine if the credentials presented are real.

In general, liveness detection methods can be classified as active or passive:

  • Active methods require user interaction, such as performing a specific action. For example, an active detection method might require the user to undertake some action, like smiling or speaking.
  • Passive methods work in the background without the user’s awareness. This method requires no direct interaction with the user.

Broadly speaking, active methods are typically harder to spoof but require more engagement with the user, which can impact usability. Passive methods are smoother and seamless but present more opportunities for fraud.

What Are Some Types of Biometric Spoofing?

Because different forms of biometric spoofing align with various forms of authentication, each attempt to address the specific weaknesses and opportunities of those methods.
As such, presentation attacks can target various biometric modalities, including:

Facial Recognition Spoofing Attacks

Attackers may use different techniques to deceive facial recognition systems. Some of the common methods include:

  • Print Attack: The attack uses a printed photograph of the target person’s face to trick the facial recognition system. This is one of the simplest methods and can be effective against less sophisticated systems (most of which need to be deployed in a context where they would protect important information).
  • Replay Attack: Hackers record a video of the target person’s face and play it back in front of the camera. This approach is often more successful than a print attack since it incorporates motion, which some facial recognition systems may require.
  • 3D Mask Attack: The attacker creates a realistic 3D mask of the target person’s face and wears it during authentication. This method can be more challenging to detect, but it’s equally challenging to do effectively without specific skills and equipment.
  • Deep Fake Attack: An attack uses a machine learning/AI program to create a video of the target’s face. Deepfake technology can create convincing facial movements and expressions, making it difficult for some facial recognition systems to differentiate between real and fake.

Facial recognition liveness detection techniques can include analyzing facial movements like blinking or verifying 3D depth information. Additionally, while there isn’t a consensus on how accurate deep fakes are, new technology from Intel can look for artifacts that signal that a video is artificial–rendering deep fakes relatively niche.

Fingerprint Spoofing Recognition Attacks

Fingerprint verification systems, while generally secure, can still be vulnerable to spoofing if appropriate countermeasures are not in place. Some of the common fingerprint spoofing methods include:

  • Fake Fingerprints: Hackers create artificial fingerprints using materials like gelatin that replicate the target user’s fingerprint pattern, often taken directly from a fingerprint. The fake fingerprint can then be placed over the attacker’s finger or a dummy finger to deceive the fingerprint scanner.
  • Latent Fingerprints: An attacker lifts a target user’s latent fingerprint from a surface using adhesive tape or other methods and then transfers it onto a material that can deceive the fingerprint scanner.
  • 3D-Printed Fingerprints: A sophisticated attack that involves someone creating a 3D model of the target user’s fingerprint using digital techniques and then 3D printing it with materials that mimic human skin properties. This method can create realistic replicas that can deceive some fingerprint scanners.

Countermeasures against these attacks include measuring finger skin temperature, moisture, or electrical properties to ensure the presented fingerprint comes from a live person.

Iris Recognition Spoofing Attacks

While iris recognition is generally considered to be a highly secure biometric modality, it can still be vulnerable to spoofing attacks if appropriate countermeasures are not in place.
Some of the common iris presentation attacks include:

  • Digital Iris Images: Displaying a digital image or video of the target user’s iris on a device screen, such as a smartphone or tablet, and presenting it to the iris scanner. This method can use different lighting and sharpness settings on devices to fool some biometric scanners.
  • Artificial Eyes or Contact Lenses: Creating an artificial eye or a custom contact lens with the target user’s iris pattern imprinted. These can be harder to detect if the contacts are created well.
  • Physical Eyes: Although a rare and extreme method, using a preserved cadaver eye with the target user’s iris pattern can also deceive the iris recognition system. It would require someone to steal the eye of a dead subject and use it relatively quickly to be effective, which may be its form of deterrence.

To defend against iris presentation attacks, defenders may use techniques like examining the natural movement and contraction of the iris, verifying light reflection patterns, or analyzing the unique texture of the iris surface.

How Is Liveness Detection Used in Identity Assurance Level (IAL) Verification?

Identity Assurance Level (IAL) is a classification system used by the National Institute of Standards and Technology (NIST) Special Publication 800-63-3, “Digital Identity Guidelines” to categorize the level of confidence in an individual’s asserted identity. These standards are often used to add layers of identity verification to processes involving sensitive government systems or classified data.

IAL2 is an intermediate level of assurance, the second of three levels. At IAL2, an individual’s identity must be verified through remote or in-person proofing processes, which involve validating and verifying identity information against trusted records and sources. Liveness detection plays a role in IAL2 by ensuring the integrity and authenticity of biometric data collected during the identity-proofing process.

Liveness Detection with 1Kosmos LiveID

LiveID is the cornerstone for how 1Kosmos BlockID delivers advanced biometric authentication. Our strong biometric-based identity provides flexible identity assurance and a passwordless experience. With LiveID, users provide a selfie video to the program that can be used as a biometric template for BlockID to verify liveness. This system meets IAL2 verification standards.

Alongside these advances, 1Kosmos BlockID also provides the following features:

  • Identity-Based Authentication: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through credential triangulation and identity verification.
  • Cloud-Native Architecture: Flexible and scalable cloud architecture makes it simple to build applications using our standard API and SDK.
  • Identity Proofing: BlockID verifies identity anywhere, anytime and on any device with over 99% accuracy.
  • Privacy by Design: Embedding privacy into the design of our ecosystem is a core principle of 1Kosmos. We protect personally identifiable information in a distributed identity architecture, and the encrypted data is only accessible by the user.
  • Private and Permissioned Blockchain: 1Kosmos protects personally identifiable information in a private and permissioned blockchain, encrypts digital identities, and is only accessible by the user. The distributed properties ensure no databases to breach or honeypots for hackers to target.
  • Interoperability: BlockID can readily integrate with existing infrastructure through its 50+ out-of-the-box integrations or via API/SDK.
  • SIM Binding: The BlockID application uses SMS verification, identity proofing, and SIM card authentication to create solid, robust, and secure device authentication from any employee’s phone.

Read our whitepaper to learn more about how BlockID with liveness detection can support real security and ensure compliance with eKYC.

FIDO2 Authentication with 1Kosmos
Read More
Meet the Author

Javed Shah

Former Senior Vice President Of Product Management

Javed has spent his entire twenty year career designing and building blockchain and identity management solutions. He has led large customer facing pre-sales teams, led product management for identity management platforms like the ForgeRock Identity Platform and the ForgeRock Identity Cloud. Javed has an MBA from UC Berkeley.