Year in Review 2016: The Priority of Liveness Detection

In December we polled 165 professionals in biometrics and identity related industries about various topics from the past year. It was part of the FindBiometrics Year in Review, the longest-running and best regarded industry retrospective of its kind. Now in its 14th consecutive year, the FindBiometrics Year in Review is your resource to start 2017 off with your fingers on the pulse of biometrics and global identity management.

Previously having examined the nascence of consumer biometrics, dominant modalities, and the mainstream feel of the technology as a whole, it’s time to look at one of the important areas of improvement for the biometrics industry: liveness detection.

Liveness detection is an anti-spoofing (anti-presentation attack) measure built into a given biometric solution meant to identify whether the body part submitted for authentication is real. With adequate liveness-detection, a biometric system can resist break-in attempts made via fake fingerprints, masks, high definition pictures, and voice or video recordings. To gauge how important this kind of capability is in today’s biometrics landscape, we asked our survey respondents how much they agree or disagree with the following statement:

Improved liveness detection should be a priority for the consumer facing biometrics industry.

Here is what they had to say:

Only eight percent of our respondents disagreed at all with the statement, the remaining 92 percent agreeing that liveness detection should be a priority. We asked the same question of our survey respondents last year, and the agree to disagree ratio was similar. That main difference this time is about 10 percent who were in the blue “agree” category have become more emphatic, tipping the scales so that the 52 percent majority “strongly agree” that liveness detection on consumer-facing biometrics is a priority.

The Demand for Proof of Life

The demand for liveness detection in consumer biometrics is being stoked by researchers who are finding new ways to capture biometric data from users without their consent, which can then be used by bad actors to spoof the security on the victim’s given device. As of this writing, a researcher from Japan’s National Institute of Informatics is receiving a great deal of media attention for warning that fingerprints can be stolen from social media pictures featuring the peace sign. In 2016 similar headlines were made regarding other modalities – namely face and iris – when researchers used publicly available images to make fake biometrics for use in presentation attacks.

With adequate liveness detection, a biometric solution becomes closer to realizing its true potential. Biometrics, after all, promise authentication based on who you are, not what you have (whether that be a key, a device, or a fake fingerprint). If one can access your biometrically protected account or device by applying something they have, then the security has failed to achieve the promise of strong authentication. Furthermore, a solution that can boast robust liveness detection not only becomes more secure by nature, but also helps a user feel safe. A fingerprint sensor that can claim to tell the difference between your fingerprint and a fake one modeled after your vacation photo is sure to set a consumer market that’s anxious about cyber security at ease.

Where Are We Now?

The biometrics industry is already working towards the proliferation of liveness detection on a large scale, reflecting the enthusiasm of our respondents. Consumer-facing fingerprint biometrics in particular are evolving in an anti-spoofing direction quite rapidly. At the most recent CES event Goodix won an innovation award for its liveness-detection fingerprint sensor, which uses infrared light to scan tissue underneath the surface of a finger, and was launched on the ZTE Axon7 Max smartphone last year. Precise Biometrics, meanwhile, acquired liveness detection specialist NexID in late 2016, a move that stands to significantly address this problem considering how prolific Precise’s software solutions have become in the consumer mobile device space via its partnerships with sensor companies like Fingerprint Cards and Synaptics.

Beyond the fingerprint, vascular authentication solutions offer a built-in liveness detection of sorts, since vein-patterns aren’t possible to steal, and in many instances the technology requires that veins have blood flowing through them in order to be measured. Traditionally, vascular biometrics have been limited to vertical applications, but recent developments have seen palm-vein scanning optimized for tablets.

In the contactless space, iris biometrics seem slated to be the next big consumer modality in terms of popularity if rumors are true that Samsung intends to keep integrating the tech into its handsets. That being the case, ongoing programs such as the LivDet-Iris competition in which vendors put their anti-spoofing tech to the test are right-minded and stand to keep the fires of liveness detection innovation burning where irises are concerned.

The Multi-Factor Option

An increasingly popular method of addressing spoofing threats has been the combination of biometric factors. The multi-factor approach to authentication exponentially increases a solution’s level of security on a very basic level—if your bank account asks for your fingerprint and iris, but a hacker only has the former, they are out of luck. But in some cases, multiple factors have been proven to have a synergy that adds up to liveness detection. Face and voice biometrics are often combined for consumer-facing applications, and in more advanced instances of the technology can be used to check each other’s liveness. Sensory’s TrulySecure, for instance, can see how your face moves while you speak your passphrase in order to verify that your face is real and also the source of your voice.

The high priority of liveness detection is a good example of the state of the identity management industry: one that is approaching maturity and feels mainstream, but which also must be continuously evolving to best serve users. While anti-spoofing technology does exist and is seeing deployment, it is important to recognize that it is no longer just some special extra level of security, but an integral part of biometrics moving forward.