Monthly Archives: June 2021

Facial Biometrics: Liveness and Anti-Spoofing

Most of us understand how fingerprinting works, where we compare a captured fingerprint, from a crime scene for example, to a live person’s fingerprint to determine if they match. We can also use a fingerprint to ensure that the true owner, and only the true owner, can unlock a smartphone or laptop. But could a fake fingerprint be used to fool the fingerprint sensor in the phone? The simplest answer is yes unless we can determine if the fingerprint actually came from a living and physically present person, who might be trying to unlock the phone. 

In biometrics, there are two important measurements, Biometric Matching and Biometric Liveness. Biometric matching is a process of identifying or authenticating a person, by comparing their physiological attributes to information that had already been collected. For example, when that fingerprint matches a fingerprint on file, that’s matching. Liveness Detection is a computerized process to determine if the computer is interfacing with a live human and not an impostor like a photo, a deep-fake video, or a replica. For example, one measure to determine Liveness includes determining whether the presentation occurred in real-time. Without Liveness, biometric matching would be increasingly vulnerable to fraud attacks that are continuously growing in their ability to fool biometric matching systems with imitation and fake biometric attributes. Attacks such as “Presentation Attack”,  “spoof”, or “bypass” attempts  would endanger a user without proper liveness detection. It is important to have strong Presentation Attack Detection (PAD) as well the ability to detect injection attacks (where imagery bypasses the camera) as these are ways to spoof the user’s biometrics. Liveness determines if it’s a real person while matching determines if it’s the correct, real person.  

With today’s increasingly powerful computer systems, have come increasingly sophisticated hacking strategies, such as Presentation and Bypass attacks. There are many varieties of Presentation attacks, including high-resolution paper & digital photos, high-definition challenge/response videos, and paper masks. Commercially available lifelike dolls are available, human-worn resin, latex & silicone 3D masks, as well as custom-made ultra-realistic 3D masks and wax heads. These methods might seem right out of a bank heist movie, but they are used in the real world, successfully too. 

There are other ways to defeat a biometric system, called Bypass attacks. These include intercepting, editing, and replacing legitimate biometric data with synthetic data, not collected from the persons biometric verification check. Other Bypass attacks might include intercepting and replacing legitimate camera feed data with previously captured video frames or with what’s known as a “deep-fake puppet”, a realistic-looking computer animation of the user. This video is a simple but good example of biometric vulnerabilities, lacking any regard for Liveness.

The COVID19 Pandemic provides significant examples of Presentation and Bypass attacks and resulting frauds. Pandemic Stay-at-Home orders, along with  economic hardships, have increased citizen dependence on the electronic distribution of government pandemic stimulus and unemployment assistance funds, creating easy targets for fraudsters. Cybercriminals frequently utilize Presentation and Bypass attacks to defeat government website citizen enrolee and user authentication systems, to steal from governments across the globe which amounts in the hundreds of billions of losses of taxpayer money

Properly designed biometric liveness and matching could have mitigated much of the trouble Nevadans are experiencing. There are various forms of biometric liveness testing:

  • Active Liveness commands the user to successfully perform a movement or action like blinking, smiling, tilting the head, and track-following a bouncing image on the device screen. Importantly, instructions must be randomized and the camera/system must observe the user perform the required action. 
  • Passive Liveness relies on involuntary user cues like pupil dilation, reducing user friction and session abandonment. Passive liveness can be undisclosed, randomizing attack vector approaches. Alone, it can determine if captured image data is first-generation and not a replica presentation attack. Significantly higher Liveness and biometric match confidence can be gained if device camera data is captured securely with a verified camera feed, and the image data is verified to be captured in real-time by a device Software Development Kit (SDK). Under these circumstances both Liveness and Match confidence can be determined concurrently from the same data, mitigating vulnerabilities.  
  • Multimodal Liveness utilizes numerous Liveness modalities, like 2 dimensional face matching in combination with instructions to blink on command, to establish user choice and increase the number of devices supported. This often requires the user to “jump through hoops” of numerous Active Liveness tests and increases friction.  
  • Liveness and 3-dimensionality. A human must be 3D to be alive, while a mask-style artifact may be 3D without being alive. Thus, while 3D face depth measurements alone do not prove the subject is a live human, verifying 2-dimensionality proves the subject is not alive. Regardless of camera resolution or specialist hardware, 3-dimensionality provides substantially more usable and consistent data than 2D, dramatically increasing accuracy and highlights the importance of 3D depth detection as a component of stronger Liveness Detection.

Biometric Liveness is a critical component in any biometric authentication system. Properly designed systems require the use of liveness tests before moving on to biometric matching. After all, if it’s determined the subject is not alive, there’s little reason to perform biometric matching and further authentication procedures. A well-designed system that is easy to use allows only the right people access and denies anybody else.  

Care to learn more about Facial Biometrics? Be sure to read our previous releases Exploring Facial Biometrics. What is it? and Facial Biometrics – Voluntary vs Involuntary.

About the authors:

Jay Meier is a subject matter expert in biometrics & IAM, and an author, tech executive, and securities analyst. Jay currently serves as Senior Vice President of North American Operations at FaceTec, Inc. and is also President & CEO of Sage Capital Advisors, LLC., providing strategic and capital management advisory services to early-stage companies in biometrics and identity management. 

Meyer Mechanic is a recognized expert in KYC and digital identity. He is the Founder and CEO of Vaultie, which uses digital identities to create highly fraud-resistant digital signatures and trace the provenance of Legal and financial documents. He sits on DIACC’s Innovation Expert Committee and has been a voice of alignment in advancing the use of digital identity in Canada.

Additional contributions made by members of the DIACC’s Outreach Expert Committee including Joe Palmer, President of iProov Inc.

Request for Comment and IPR Review: PCTF Assurance Maturity Model Draft Recommendation V1.0

This review period is officially closed. Thank you.

Notice of Intent: DIACC is collaborating to develop and publish a Pan-Canadian Trust Framework™ (PCTF) Assurance Maturity Model to set a baseline of public and private sector interoperability of identity services and solutions.

To learn more about the Pan-Canadian vision and benefits-for-all value proposition please review the Pan-Canadian Trust Framework Overview.

Document Status: This review document has been approved as a Draft Recommendation V1.0 by the DIACC’s Trust Framework Expert Committee (TFEC) that operates under the DIACC controlling policies.

Summary: It is essential that Participants in a digital ecosystem have a way to evaluate the robustness and trustworthiness of transactions within that ecosystem. In order to do so, Participants must share a common vocabulary that describes the level of confidence they can associate with an Entity or transaction, as well as a common way in which to determine that level of confidence.

In the Pan-Canadian Trust Framework™ (PCTF), a Level of Assurance (LoA) represents the level of confidence an Entity may place in the processes and other conformance criteria defined in any given component of the PCTF.  Levels of Assurance are elemental in creating networks of trust. Levels of Assurance models only work if all Participants in a digital ecosystem are able to interpret them consistently. It is therefore critical that all Participants in an ecosystem agree upon a minimum set of criteria for each Level of Assurance. Only then will a Relying Party in that ecosystem be able to properly evaluate the risks inherent in a relationship or transaction, and the Level of Assurance that can be placed in Participants, Credentials, and those transactions. The components of the PCTF describe the detailed conformance criteria that should be used to evaluate such Levels of Assurance in the context of a given PCTF component. This document provides guidance regarding how to use those criteria in order to properly classify Levels of Assurance.

Invitation: All interested parties are invited to comment.

Period: Opens: June 27, 2021 at 23:59 PT | Closes: July 28, 2021 at 23:59 PT

Document: PCTF Assurance Maturity Model

Intellectual Property Rights: Comments must be received within the 30-day comment period noted above. All comments are subject to the DIACC contributor agreement; by submitting a comment you agree to be bound by the terms and conditions therein. DIACC Members are also subject to the Intellectual Property Rights Policy. Any notice of an intent not to license under either the Contributor Agreement and/or the Intellectual Property Rights Policy with respect to the review documents or any comments must be made at the Contributor’s and/or Member’s earliest opportunity, and in any event, within the 30-day comment period. IPR claims may be sent to review@diacc.ca. Please include “IPR Claim” as the subject.

Process:

  • All comments are subject to the DIACC contributor agreement.
  • Submit comments using the provided DIACC Comment Submission Spreadsheet.
  • Reference the included PDF to include the corresponding line number for each comment submitted.
  • Email completed DIACC Comment Submission Spreadsheet to review@diacc.ca.
  • Questions may be sent to review@diacc.ca.

Value to Canadians: The PCTF Assurance Maturity Model will provide value to all Canadians, businesses, and governments by setting a baseline of business, legal, and technical interoperability. The DIACC’s mandate is to collaboratively develop and deliver resources to help Canadian’s to digitally transact with security, privacy, and convenience. The PCTF is one such resource that represents a collection of industry standards, best practices, and other resources that help to establish interoperability of an ecosystem of identity services and solutions. The DIACC is a not-for-profit coalition of members from the public and private sector who are making a significant and sustained investment in accelerating Canada’s Identity Ecosystem.

Context: The purpose of this Draft Recommendation review is to ensure transparency in the development and diversity of a truly Pan-Canadian, and international, input. In alignment with our Principles for an Identity Ecosystem, processes to respect and enhance privacy are being prioritized through every step of the PCTF development process.

DIACC expects to modify and improve this Draft Recommendation based upon public comments. Comments made during the review will be considered for incorporation into the next draft and DIACC will prepare a Disposition of Comments to provide transparency with regard to how each comment was handled. 

Thank you for your support and participation in this review period.

DIACC Membership Appoints 2021 Board of Directors

June 22, 2021 – The Digital Identification and Authentication Council of Canada, (DIACC) today announced the appointment of five (5) nominees to the five seats up for election at its Virtual Annual General Meeting held online on June 17, 2021. 

Newly elected to the Board: 

  • Iliana Oris Valiente, Managing Director at Accenture

Re-elected to the Board:

  • Colleen Boldon, Director, Digital Lab and Digital ID Programs, Public Services and Smart Government, Province of New Brunswick
  • Neil Butters, Head, Digital Identity Innovation & New Ventures, Interac Corp.
  • Robert Devries, Assistant Deputy Minister, Platforms, Government of Ontario
  • Louis Jacob, Vice President, Core Engineering and Transformation, Manulife

“On behalf of the DIACC, I am pleased to welcome Iliana to the Board. Her expertise in innovation and emerging technologies will bring great strategic value to the group,” congratulates President Joni Brennan, “The DIACC will make important progress in the year ahead, as Canada’s largest and most inclusive community of digital identity leaders.”

“I look forward to continuing working alongside our qualified and esteemed Board to drive forward digital ID as a national priority,” said Dave Nikolejsin, Board Chair. “Together we will work to champion, educate, and ensure the adoption of digital identity to empower people, businesses, health care centres, academic institutions, and civil society.”

DIACC Directors are elected industry leaders who set the organizational strategic directions and ensure good governance is practiced, ensuring policies and procedures are continually improved and align with the vision and representation of DIACC membership. 

The full listing of the DIACC Board of Directors: 

  • Dave Nikolejsin, Strategic Advisor, McCarthy Tetrault & Board Chair
  • Franklin Garrigues, Vice President Digital Channels, Mobile for Everyone, TD Bank & Board Vice-Chair
  • Andre Boysen, Chief Identity Officer, SecureKey & Board Treasurer
  • David Attard, SEVP, Head of Personal and Business Banking, CIBC
  • Colleen Boldon, Director, Digital Lab and Digital ID Programs, Public Services and Smart Government, Province of New Brunswick
  • Marc Brouillard, Chief Technology Officer, Government of Canada
  • Neil Butters, Head, Digital Identity Innovation & New Ventures, Interac Corp.
  • Patrice Dagenais, Vice President, Payment and Business Partnerships, Desjardins Cards Services (DCS)
  • Susie De Franco, General Manager, Digital Channel & Products, Canada Post
  • Robert Devries, Assistant Deputy Minister, Enterprise Digital Services Integration Division, Ministry of Government and Consumer Services, Government of Ontario
  • Louis Jacob, Vice President, Core Engineering and Transformation, Manulife
  • Hugh McKee, Head, BMO Partners
  • Iliana Oris Valiente, Managing Director, Accenture
  • CJ Ritchie, Associate Deputy Minister & Government Chief Information Officer, Province of BC
  • Eros Spadotto, Executive Vice-President, Technology Strategy, TELUS

2021 marked the end of the three year term of Allan Foster, Vice President of Global Partner Success, Forgerock on the Board. DIACC thanks him for his service and dedication, and looks forward to continuing to work with Forgerock as a DIACC member organization.

Following the trend of the past few years, the number of nominees far exceeded the number of Board seats available. DIACC thanks all highly qualified nominees for taking part in the process. This reflects the growing interest and investment by Canadian individuals, governments and businesses in making digital ID a national priority.

About the Digital ID and Authentication Council of Canada (DIACC)

The DIACC is a non-profit coalition of public and private sector leaders committed to developing a Canadian digital identification and authentication framework to enable Canada’s full and secure participation in the global digital economy. The DIACC was created as a result of the federal government’s Task Force for the Payments System Review and members include representatives from both the federal and provincial levels of government as well as private sector leaders.