Active and passive liveness detection – which one should you use for authentication
Active or passive liveness detection to protect from fraud?
Online fraud and identity theft are still increasing in today’s world. Although many people consider the risk of becoming a victim of identity fraud to be low, statistics indicate otherwise. According to the U.S. Federal Trade Commission, which tracks fraud and identity theft complaints, there were 1.43 million identity theft complaints in 2021, as well as 2.8 million fraud reports. And these numbers refer to the U.S. only. This shows that the need for companies to ensure the protection of their customers (data) is extremely high. In addition, regulations such as GDPR, KYC, and AML all demand high confidence levels in data protection and fraud prevention. Biometric authentication with liveness detection is the most effective means to prevent spoofing, especially when it is used in unsupervised situations.
What is liveness detection?
Liveness detection is a software distinguishing a live person from spoofing attacks like photos, masks, avatars, or videos. Scientifically, it is called presentation attack detection (=PAD). This term refers to fraud prevention for biometrics in general, whereas liveness detection is generally used for face recognition. Liveness detection should not require a specific hardware, such as a 3D or infrared camera. Instead, one or two selfies taken by any standard camera are analysed to determine the “liveness” of a person trying to authenticate.
Without liveness detection, a fraudster/attacker could use a photo, video or (silicon) mask of a person to spoof the system in order to gain unauthorized access to their accounts or data. Liveness detection is therefore an essential element of a secure application. The most common methods to cope with the wide variety of presentation attacks are motion and texture analysis as well as artificial intelligence (AI). Find out more about BioID’s liveness detection for anti-spoofing.
Technically speaking, there are two different methods of liveness detection for authentication, active and passive liveness detection. To help you determine which method is best for you, we will explain both methods, highlighting the differences between active and passive liveness detection.
What is active liveness detection and how is it used for authentication?
Active liveness check
Active liveness detection requires a user to intentionally confirm his or her presence by interacting with the system as part of the process (vis-á-vis “I am not a robot”). In particular, BioID’s active liveness detection requires only two images for analysis. The first image is typically captured immediately, while the capture of the second image is automatically triggered by a natural head motion. A natural head movement is an intuitive user interaction just like “nod if agree” etc.
The use of motion-triggered image capture prohibits an attacker from presenting or swapping different photos, which would result in a non-smooth (i.e. “unnatural”) head movement. The active liveness detection technology, which is based on motion flow and artificial intelligence, now analyses the movement between the two captured images, as a 3D face moves differently than a 2D photo, even when bent. It then decides whether the user trying to authenticate is “live” or “fake”.
Other techniques require the user to blink, smile, or track dots on the screen with their eyes. These techniques can either be vulnerable to simple attacks or lack of user-friendliness.
The benefit of active liveness detection for authentication
Active liveness detection has several benefits in terms of data security and privacy. Since the active liveness detection process is not possible without the consciousness of the user, active liveness detection is particularly suitable for services with high focus on data protection and security, in GDPR, KYC and AML scenarios, that all require user participation. An active liveness detection assures that the user confirms with some opt-in action that he/she is acting knowingly and of his/her free will.
For additional security and level of assurance, BioID offers an optional challenge-response-technique. Here, the user is prompted to perform random instructions (e.g. turning the head in one specific direction). Only if these “challenges” are followed correctly, the authentication is successful. Depending on the required level of security, challenge-response can be repeated. The more challenges are demanded, the higher the security level. Liveness detection coupled with challenge-response is a very powerful way to implement ‘user consent’ e.g. as required in GDPR. Furthermore, when it comes to protecting against deepfakes, this method combined with virtual camera detection can help improve security substantially.
What is passive liveness detection and what are the benefits?
Passive liveness check
Passive liveness detection is a fraud detection method that does not require any specific actions from the user. Typically only one snapshot is taken and analysed using artificial intelligence. Most common approaches are capturing entire videos of the session or flashing lights on the person for analysis.
The ease of the process and convenience for the user, may sometimes undermine the user experience, that the user may be unaware of the image capture. The passive liveness detection process may run in the background with no indication that liveness detection is being performed. For services that place a high value on data privacy and GDPR, a clear user consent or an opt-in action must therefore be put in place before carrying out the operation.
Passive liveness detection can be fast and more convenient in terms of usage, as no specific action is required from the user. However, clear terms of use and/or instructions, should be provided to avoid unnecessary disputes or concerns, or higher error rates, making the service appear to pay less attention to user privacy and consent. Furthermore, step-up security techniques such as challenge-response might not be possible with passive liveness detection.
What is the difference between active and passive liveness authentication?
In summary, the difference between active and passive detection is that unlike passive detection, which may run in the background, active liveness detection requires some user interaction. In terms of image capture, passive liveness detection requires only a single snapshot, whereas active liveness detection requires one or more snapshots taken from the video stream.
Summary
Active liveness authentication
- requires user action to prevent attackers from using photos, videos, masks, or avatars of the users to spoof the system
- is typically an approach that combines motion analysis and artificial intelligence with multiple images
- requires user’s consciousness and therefore is particularly suitable for services with a high focus on data privacy and security
- can be combined with a challenge-response mechanism for additional security and the protection against deepfakes
- is particularly suitable for services with a high focus on data protection and security
Passive liveness authentication
- does not require any specific actions from the user
- is typically based only on artificial intelligence analysing only one single image of the user
- is possible without the user’s consciousness and may run in the background
- can be quicker and sometimes easier for the user since no action is required from him/her
- is particularly suitable for services with a high focus on user-friendliness
BioID’s liveness detection for authentication with anti-spoofing
Based on the many years of experience of our Research & Development team in the field of biometrics and liveness detection, BioID offers the most advanced method for detecting presentation attacks by combining motion and texture analysis as well as artificial intelligence.
Find out more about BioID’s liveness detection here: https://www.bioid.com/liveness-detection/
BioID’s Liveness Detection is compliant with ISO/IEC 30107 for level 1 and 2 attacks, which also has been confirmed by two independent FIDO accredited biometric testing laboratories. Find out more about the process and standards for a liveness detection certification.
Since we do believe, that actions speak louder than words, we offer the opportunity to try out our liveness detection on our BioID Playground, so you can see for yourself. You can also request a free trial instance to test our liveness detection APIs. Or contact us, if you still need more information about BioID’s active liveness detection for fraud prevention.
Contact
Kathrin Kellner
+49 911 9999 898 0
info@bioid.com
