Active and Passive Liveness Detection:
Which one should you use for authentication?
Active or Passive Liveness Detection against Fraud
Online fraud and identity theft are still increasing in today’s world. Although many people consider the risk of becoming a victim of identity fraud to be low, statistics indicate otherwise. According to the U.S. Federal Trade Commission, which tracks fraud and identity theft complaints, there were 1.43 million identity theft complaints in 2021, as well as 2.8 million fraud reports. And these numbers refer to the U.S. only. This shows that the need for companies to ensure the protection of their customers (data) is extremely high. In addition, regulations such as GDPR, KYC, and AML all demand high confidence levels in data protection and fraud prevention. Biometric authentication with liveness detection is the most effective way to prevent spoofing, especially when it is used in unsupervised situations.
What is Liveness Detection?
Liveness detection is a software that distinguishes a live person from spoofing attacks like photos, masks, avatars, or deepfake videos. Scientifically, it is called presentation attack detection (PAD). This term refers to fraud prevention for biometrics in general, whereas liveness detection is generally used in face recognition services. Liveness detection should not require specific hardware, such as a 3D or infrared camera. Instead, one or two selfies taken by any standard camera are analyzed to determine the “liveness” of the person trying to authenticate.
Without liveness detection, a fraudster or attacker could use images, deepfake videos, or realistic (silicon) face masks to spoof the system in order to gain unauthorized access to their accounts or data. Liveness detection is therefore an essential element of a secure application. The most common methods to cope with the wide variety of presentation attacks are motion and texture analysis, as well as artificial intelligence (AI). Find out more about liveness detection for anti-spoofing.
Technically speaking, there are two different methods of liveness detection for authentication: active and passive liveness detection. To help you determine which method is best for you, we will explain both methods, highlighting the differences between active and passive liveness detection.
Active Liveness Detection & how it is used for Authentication
Active Liveness Check
Active liveness detection requires a user to intentionally confirm their presence by interacting with the system as part of the process (“I am not a robot”). In particular, BioID’s Active Liveness Detection requires only two images for analysis. The first image is typically captured immediately, while the capture of the second image is automatically triggered by a natural head motion. A natural head movement is an intuitive user interaction, just like “nod if agree”.
The use of motion-triggered image capture prohibits an attacker from presenting or swapping different photos, which would result in a non-smooth (i.e. “unnatural”) head movement. The active liveness detection technology, which is based on motion flow and artificial intelligence, now analyzes the movement between the two captured images, as a 3D face moves differently than a 2D photo, even when bent. It then decides whether the user trying to authenticate is “live” or “fake”.
Other techniques require the user to blink, smile, or track dots on the screen with their eyes. These techniques can either be vulnerable to simple attacks or lack user-friendly approaches.
The Benefits of Active Liveness Detection for Authentication
Active liveness detection has several benefits in terms of data security and privacy. Since the active liveness detection process is not possible without the consciousness of the user, active liveness detection is particularly suitable for services with a high focus on data protection and security in GDPR, KYC and AML scenarios that all require user participation. An active liveness detection assures that the user confirms with some opt-in action that they are acting knowingly and in their own free will.
For additional security and level of assurance, BioID offers an optional challenge-response technique. Here, the user is prompted to perform random instructions (e.g. turning the head in one specific direction). Only if these “challenges” are followed correctly, authentication is be deemed successful. Depending on the required level of security, challenge-response can be repeated. The more challenges are demanded, the higher the security level. Liveness detection coupled with challenge-response is a very powerful way to implement ‘user consent’, e.g. as required in GDPR.
Furthermore, when it comes deepfake protection, this method combined with virtual camera detection can help improve security substantially.
Passive Liveness Detection & its Benefits
Passive Liveness Check
Passive liveness detection is a fraud detection method that does not require any specific actions from the user. Typically, only one snapshot is taken and analyzed using artificial intelligence. The most common approaches are capturing entire videos of the session or flashing lights on the person for analysis.
The ease of the process and convenience for the user may sometimes undermine the user experience, and the user may be unaware of the image capture. The passive liveness detection process may run in the background with no indication that liveness detection is being performed. For services that place a high value on data privacy and GDPR, clear user consent or an opt-in action must therefore be put in place before carrying out the operation.
The Difference Between Active & Passive Liveness Authentication?
In summary, the difference between active and passive detection is that, unlike passive detection, which may run in the background, active liveness detection requires some user interaction. In terms of image capture, passive liveness detection requires only a single snapshot, whereas active liveness detection requires one or more snapshots taken from the video stream.
Active Liveness Detection
- requires user action to prevent attackers from using photos, deepfakes, masks, or avatars of the users to spoof the system
- is typically an approach that combines motion analysis and artificial intelligence with multiple images
- requires user consciousness and therefore is particularly suitable for services with a high focus on data privacy and security
- can be combined with a challenge-response mechanism for additional security and protection against deepfakes
- is particularly suitable for services with a high focus on data protection and security
Passive Liveness Detection
- does not require any specific actions from the user
- is typically based only on artificial intelligence, analysing only one single image of the user
- is possible without the user consciousness and may run in the background
- can be quicker and sometimes easier for the user since no action is required
- is particularly suitable for services with a high focus on a user-friendly experience
The BioID Liveness Detection with Anti-Spoofing
Based on the many years of experience of our Research & Development team in the field of biometrics and liveness detection, BioID offers the most advanced method for detecting presentation attacks by combining motion and texture analysis as well as artificial intelligence.
Find out more about BioID Liveness Detection here: https://www.bioid.com/liveness-detection/
BioID’s Liveness Detection is compliant with ISO/IEC 30107 for level 1 and 2 attacks, which has also been confirmed by two independent FIDO accredited biometric testing laboratories. Find out more about the process and standards for a liveness detection certification.
Since we do believe that actions speak louder than words, we offer the opportunity to try out our liveness detection on our BioID Playground, so you can see for yourself. You can also request a free trial instance to test our liveness detection APIs. Or contact us, for more information on liveness detection and other services that we offer.
+49 911 9999 898 0