Face Liveness Detection

Just like any other face recognition system, the BWS would normally recognize a person if a good-quality and up-to-date photo of the enrolled user is presented in front of the camera. A photo is a two-dimensional representation of the face, and as such it is the same as an image of the user taken directly with the camera. Therefore, to carry it to extremes, a face recognition system theoretically MUST recognize such a “photo of a photo” of the enrolled user if it matches the enrollment images.

But of course we do not want our system to be fooled by a photo. We want it to generate the same trust as a face-to-face interaction. Therefore we have developed a “LiveDetection” mechanism that makes sure the submitted recordings were indeed taken from a live person in front of the camera!

Liveness detection - Preventing photo fakes

The basic idea behind our mechanism is: If the person is live (and not a photo held in front of the camera), then this person will move, and from that movement one can calculate whether the intrinsic movements match that of a human face. So of course we need at least two images to perform such a liveness check. And those two images should contain at least some movement in between. If you submit the same photo twice, they will of course be rejected. On the other side, try to avoid too much motion. If there are too many differences between the two images, this might also fail.

Therefore, it is the task of the client app that records those images to make sure they are sufficient. A client app should ideally use a little “motion detector”, which is easy to implement: Record the first image, and store it. Now continue to record images, and simply subtract them from the first stored one. If the sum of pixel differences is higher than a certain threshold, use this image as the second one and submit it together with the first one to the BWS.

Liveness detection - what about fake videos?

From the explanations above, it is obvious that the system could still be faked with a video played back into the camera. If the impostor is in possession of some video material of the user he wants to fake, and he somehow presents this “live video” to the camera that records the images to submit them to the BWS - then the LiveDetection would accept this as a valid recording of a live person.

Our answer to this kind of fake attack is something quite well-known as a “challenge-response mechanism”. The basic idea behind it is that the system challenges the user with some random instructions, and then the response is checked to validate whether the instructions where followed. In our BWS, we can challenge the user to turn his head - and since the BWS LiveDetection also returns the head movement direction, it is possible to verify whether the user turned his head according to the randomly challenged direction.

Such a challenge can be repeated as many times as your security level requires. One could e. g. ask the user to move 5 times in arbitrary directions, and it is very unlikely then that an attacker has a video recording which shows exactly those 5 random head movements in the correct order. The more challenges you use, the higher the security level - but user convenience will decrease. As always, a compromise is necessary between security and convenience.

The BWS gives you all the information you need to implement your own video replay attack mechanism (by doing LiveDetection with head movement direction returned). In the BWS unified user interface, the challenge is shown using arrows to indicate the demanded head movement. Of course any other way of presenting the challenge is only limited by your creativity! However, to let BWS perform the challenge-response for you, you simply need to use the LiveDetection flag and tag your uploaded video samples (see SOAP API Sample class or BWS Upload Extension) with one or more of the four basic movement directions up, down, left and right.

Intellectual property rights

The methods described above are based on granted and pending patents owned or filed by BioID. Customers with an active subscription to our services have permission to use these methods in the applications that interface with our services. Use of such methods by other parties without BioID's explicit permission may infringe on BioID's intellectual property rights and may be grounds for legal proceedings.