Facial recognition technology is making many areas of life more convenient. People can now verify their identity without so much as a password or fingerprint. These technologies allow masses to access buildings without a key or breeze through airport security. But like any other privacy technology, fraudsters are targeting facial recognition via spoofing.
The consequences of a successful facial recognition spoofing attack are often quite severe. Hackers can gain unauthorized access to secure buildings, homes or facilities. Bad actors can simply walk in and out without even picking a lock. This results in anything from confidential data theft to sabotage of critical systems and infrastructure.
Read on to learn about the most common facial recognition spoofing methods to be aware of. And more importantly, what you can do to detect and prevent them.
Two Most Common Facial Recognition Spoofing Methods
When facial spoofing takes place, it’s usually under the guise of what’s called a Presentation Attack. The Biometrics Institute describes it as a facial recognition spoofing that occurs through illegally obtained biometric data, either directly or covertly from a person online or through hacked systems. Presentation attacks can take place in either of two ways: Static 2D or Static 3D attacks.
Static 2D presentation attacks use two-dimensional flat objects like photos, paper or masks. Facial recognition systems with minimal safeguards are surprisingly susceptible to well-produced 2D media. And more sophisticated 2D attacks use smartphone or tablet screens to flash images in sequence to mimic live movement.
Static 3D attacks take things a step further, employing 3D printed masks, sculptures or facial reproductions. This helps bypass more powerful recognition systems that rely on many facial data points or even movements. Some static 3D attacks even rely on robots that produce unique facial expressions.
Static 2D attacks are currently the more common method of facial recognition spoofing due to the technology needed for 3D attacks.
But as technologies like 3D printing and robotics evolve, organizations will need to develop safeguards against both tactics.
Guarding Against Facial Recognition Spoofing Attacks
Most anti-spoofing methods fall under the umbrella of Liveliness Detection. The goal of liveliness detection is to determine if a face is “alive” and real, or false reproduction. It’s possible to do so in a variety of different ways.
Eye blink detection is one of the simplest – yet most effective – liveliness detection methods. Replicating an authenticated user’s unique blinking patterns is almost impossible, even with advanced 3D presentation attacks. Eye blink detection observes patterns link blink intervals and average time users’ eyes stay shut. If a fraudulent user doesn’t match those same traits, they’re denied access.
Going a step further, interactive live face detection provides even more security. Rather than relying on involuntary motions like an eye blink, interactive detection makes users perform certain facial actions. Also referred to as the Challenge-Response technique, users will need to do things like nod, smile, or perform head movements. Criminals who don’t perform these actions exactly like the authenticated user will be summarily rejected.
3D Cameras are a reliable and effective means of preventing 2D presentation attacks. 3D cameras detect precise pixel depth images, thus detecting false 2D objects with ease. This renders even the most sophisticated smartphone facial replicas ineffective, in addition to photos and flat masks.
Finally, active flash is an advanced and promising technology that prevents both 2D and 3D attacks. A camera flashes light on the face and uses the reflection to determine if it’s real or a reproduction. Smartphone screens and photos reflect light differently than real faces, making active flash an effective technique. One drawback is that environmental lighting can have an effect on detection accuracy.
Outsmarting the Bad Intentions With Technology
While solutions to prevent facial recognition spoofing are growing, there is no single method to eliminate the risk altogether. The most appropriate technology will depend on each specific use case. Banking app users typically want quick access, for example, making challenge-response impractical. This might make active flash more appropriate. If the facial recognition camera is outside a building or home, a 3D camera with blink detection is a good solution.
However, parallel to developing technologies, the criminals are constantly trying newer, more advanced facial recognition spoofing methods too. Hence, companies must understand how 2D and 3D presentation attacks work, and choose the right technology for their use case to keep those with bad intentions out.