Why liveness detection is not enough to prevent spoofing threats

Improving liveness detection and anti-spoofing systems has become a key goal in the biometric authentication industry. However, it's important for businesses to note that, when it comes to mitigating account takeover threats, liveness detection can sometimes create a false sense of security.

Cited by Europol as a potential “staple tool for organized crime,” the advancement of deepfakes and the ease at which they can now be created is posing serious security threats for both businesses and individuals.  

With biometric authentication becoming more ubiquitous in everyday life, the need to guard against deepfakes is driving discussion around enhancing the security and effectiveness of facial recognition technologies.

In this article, we will explain why liveness detection can sometimes be undependable when it comes to detecting anomalies and threats during biometric authentication.

What is Liveness detection?

Liveness detection is an essential part of biometrics. Using AI-based algorithm techniques, liveness detection helps to verify that there is a real person behind the camera rather than a photograph, video, mask, or deepfake.

At present, liveness detection is used to help strengthen security and reliability during both identity verification and authentication processes.

However, while liveness detection can help strengthen security when applied correctly, it’s important to understand that it can sometimes create a false sense of security. The truth is, liveness detection on its own is not enough to ensure that the real person is authenticating.

According to recent reports, biometric spoofing threats are rising and could become increasingly scalable as hacking technology becomes sophisticated. 

Biometric Update recently reported that highly-scalable biometric spoofing attacks are about to explode. The attacks are executed using deep fake morphing attacks (otherwise known as deepfakes) that are “injected” directly into a victim’s device. 

Finextra also reported that the Fincrime outlook for 2023 will include more deepfake threats as digital payments using technologies like Apple’s FaceID surpass credit card payments. According to the article, Jumio’s CEO Robert Prigge warned:

“Despite large investments in security and prevention tools, bad actors will continue to advance their techniques and hone in on a growing variety of digital fraud strategies such as synthetic identities and deepfakes.”

How to strengthen liveness detection

To eliminate the risk of spoofing threats, it’s important that biometric authentication solutions combine liveness detection with a secondary, strong authentication factor.

At Keyless, we strengthen the reliability of our biometric authentication solutions by combining liveness detection with device verification software, which runs device background checks to verify that a person is attempting to log in from one of their trusted devices (essentially binding a user’s device to their Keyless account). 

Unlike with solutions like FaceID, users can log in using Keyless facial recognition software to multiple devices. Bound devices can be linked and unlinked at the discretion of the customer, giving them more control over managing their identity online. 

Biometric authentication solutions that combine liveness detection with a strong, second authentication factor, like device verification, are much more secure than those that rely on liveness detection alone or those that combine biometric challenges with knowledge challenges such as passwords, PINs, and OTPs (which can easily be compromised).

NB. The European Central Bank currently states that OTPs are a possession factor, but with a rise in OTP phishing attacks, we advise our customers to view them as knowledge factor authentication challenges.

Is passive or active liveness detection better?

Passive liveness detection requires no prompted action from a user. Instead, the liveness detection systems will look for subtle observations in facial movements, such as eye & lip movement and blinking. Active liveness detection methods require users to consciously make physical gestures, such as looking from left to right or blinking. This is known as a "challenge-response" approach.

According to fraud.com, active liveness detection has been known to be easier to spoof, with hackers reportedly using realistic masks, photos, and deepfake videos to fraudulently bypass challenge responses. However, the debate around active and passive liveness detection effectiveness is a complex one, with strong arguments for and against both methods. 

Perhaps the biggest drawback to active liveness detection is that user experience becomes more arduous – while this may not be a problem when implementing authentication solutions in high-risk sectors like government, military, and aviation, challenge-response systems would undoubtedly increase friction during day-to-day activities, such as authenticating payments or unlocking your phone.

How does Keyless improve liveness detection?

At Keyless, we use offline passive liveness detection, which does not require any interaction with the user, nor does it require an internet connection (or backend computation for more technical audiences). 

Our advanced biometric authentication systems use state-of-the-art deep learning models capable of detecting signals and patterns that can determine whether or not an image or video is fake.

Our advanced biometric authentication solutions combine liveness detection with anti-spoofing techniques that detect the slightest obstructions and distortions in a multitude of environments, including in low light conditions, which have undergone rigorous testing and have been certified for commercial use by the FIDO Alliance.

“By achieving FIDO Biometric Component Certification, Keyless has demonstrated, through comprehensive testing by an accredited third-party lab, that its facial recognition technology can reliably authenticate users correctly, and detect various kinds of fraudulent authentication attempts.” ––  Dr. Rae Rivera, Director of Certification at FIDO Alliance.

Liveness detection cannot be used without a second, strong authentication factor

While liveness detection is a critical component of any facial recognition solution, it’s not a fail-safe when it comes to preventing spoofing and deep fake threats that threaten to upend business operations and cause long-lasting reputational and compliance consequences. 

To protect against a rise in biometric threats, it’s critical to combine facial recognition systems with an additional, strong authentication challenge such as device binding (device verification).

For more information on what Keyless can do to improve your business's security, schedule a free demo with one of our passwordless experts.