“This May Be The Worst Idea Ever” - Face Verification

From Bloomberg:

Ben Schlabs, of Security Research Labs in Berlin, says he and colleagues succeeded in fooling facial-recognition software by holding up a photo of a person’s face to the camera, then waving a pen in front of it. The system mistook the movement for blinking, and the photo was accepted for a living image. “This may be the worst idea ever,” Schlabs says. “Your face is literally recorded everywhere you go. It’s the only part of your body that you never cover up.”

Important to note, this is different from facial surveillance, which we debate here fairly regularly. In facial surveillance, you take a list of faces and try to find matches 'in the wild' without the suspects cooperating. In facial verification, someone tries to access a resource (to a building, to a bank account, etc.) and presents (hopefully) their own face to be allowed to access. What this researcher is saying is that if I know John Doe banks at ABC, I can get a photo of him and gain illicit access to John Does's bank account.

Agree/disagree with this researcher?

The technology tested was simply too simplistic, and not a reflection on face recognition and biometrics in general. An effective “liveness” test must be part of any credible biometric test. Ideally it should be done seamlessly, without requiring the user to do anything other than submit a biometric signal. In the case of face recognition, with a video sensor, there is no shortage of effective, fast and transparent liveness tests that can be applied. I’d suggest the researchers tackle a state of the art technology and see what the results look like.

How do you liveness test against a recorded video clip of a face being played back?

There are several techniques that readily come to mind, unfortunately they are all potentially somewhat sensitive to my current company and I'm not at liberty to disclose. With a little thought, I'm sure our colleagues here could come up with a solid list of measurable attributes that would not be present in a video playback, or at the least would register as sufficiently different, to serve as liveness detectors. Once our techniques make it into a patent, I will be more than happy to discuss them in detail with fellow IPVMers.

Personally I do not think that it is the worst idea ever to use facial recognition for the verification (access control) but at the same time it is not the best. IMO for the access control it is better to use a two-factor authentication in any case and additional value of face that it can be captured and stored for the reference.

There are different ways to avoid spoofing by presenting an image or video on a handheld device :) One of the best is to have two cams or a specific sensor and get a stereo image to be able to create a 3D model / measure depth. Other promising include illumination on capture, working with infrared images, analyzing background etc.

Biometrics does not mean the 100% reliability. It makes life harder for intruders but anything can be cracked.