What Is Liveness Detection and How It Works for Fraud Prevention

There is a growing concern for online security for businesses in all industries, and the need for advanced authentication methods has never been greater, especially for companies in regulated sectors that handle large sums of money or particularly sensitive data, such as banking, insurance, and healthcare.

 

Even security methods that are widely viewed as foolproof and hard to replicate, like biometrics, have their vulnerabilities. According to some reports, over one-third of organizations, or 37%, have dealt with synthetic voice fraud. Going further, 80% of companies surveyed believe fake biometrics pose real security threats.

 

To combat this type of fraud, liveness detection is a key way to determine the legitimacy of the biometrics presented during authentication. Below, we’ll take a deeper look into liveness detection, how it works, the benefits it provides, and more.

Liveness detection, or a liveness check, is a security method that ensures an entity presenting a biometric, like a face or fingerprint, is a live human being and not a fake image or recording.

 

Essentially, it’s a digital ticketing agent that looks for fraudsters trying to pass off a copy or replica of someone else’s biometric data as their own to gain unauthorized system access.

 

Just like you’d be able to tell if a cardboard cutout of a ticketholder was trying to enter a football stadium to watch the game, liveness detection plays a similar role in securing digital systems.

 

Compared to static authentication methods, liveness checks are dynamic and use real-time interactions to verify a user’s identity. This makes it more difficult for fraudsters to bypass security with stolen or replicated identity data.

 

On a larger scale, liveness detection plays an important role in multi-factor authentication (MFA). It provides an additional layer of security to the authentication process to ensure that the biometric data that a person provides during log-in is legitimate, and not stolen or spoofed. It can also be used very effectively at account opening as part of a broader KYC process.

There are two main types of liveness checks: passive and active. We will discuss both in more detail and provide examples for each below.

 

Passive Liveness Detection

Passive liveness detection continuously monitors a user’s behavior like their facial movements, voice patterns, or other aspects to determine how consistent it is with a live human. 

 

This can be convenient for users because they aren’t required to perform specific actions or interrupt the log-in process. Instead, they can complete their normal behaviors and activities, which will be monitored, though they may not even recognize liveness detection is occurring.

 

Active Liveness Detection

Active liveness detection requires people to engage in some sort of prompted behavior or gesture during a log-in attempt to verify they are an actual person and not a photo or other replica. 

 

This might include a request to blink, smile, nod, speak, or complete another action to prove they are alive while the system captures their biometric data. The system will take this input and compare it against what the expected behavior or response is.

Various methods are utilized to support liveness detection, including the following:

 

Motion analysis

The system may assess the movements of the subject to determine if it’s a live person. It’s looking for natural motions and behavior patterns akin to what a live human would produce. 

 

If there is a fraudster trying to use an image of a person to pass biometric authentication, the system should detect the lack of subtle movements like blinking or facial expressions that would indicate there’s an actual person present.

 

3D depth sensing

Another important method for liveness detection is 3D depth sensing, which uses laser scanners and other technology to map out a person’s scanned facial features in three dimensions. 

 

This can help differentiate between a live person completing a facial scan or a photo or video of a person’s face, which is only two-dimensional.

 

Challenge and response tests

In active liveness detection, the system may prompt certain challenges for the user to complete, expecting a certain type of response from a live person. 

 

By instructing the user to engage in specific tasks, like nodding their head, repeating a certain phrase, or blinking their eyes, the system can analyze their response and determine whether or not it’s in line with how a real human would behave. 

 

For instance, if someone is trying to use a photo of a person’s face to bypass a facial recognition test, they should not be permitted access if challenged to blink, which they would be unable to do properly with just an image.

 

Texture analysis

Liveness detection systems can also use texture analysis to take a closer look at the provided biometric features. 

 

This is done to detect signs of life that are typically not captured accurately in a photo or video, including fine lines, wrinkles, pore shape, skin texture, and other imperfections associated with a living human.

Fraudsters can use many different tactics and techniques to attack a system, even ones that use biometric authentication. 

 

In these cases, liveness detection can bolster a system’s security by ensuring that only living individuals possessing the proper credentials are granted access. 

 

Some of the most common types of attacks that liveness detection can help mitigate include:

 

• Spoofing: When a fraudster impersonates an authorized user in an attempt to gain access to the system using their credentials

• Replay attacks: Occur when a hacker intercepts valid communications on a secure network and attempts to resend the captured message later for system access

• Mask attacks: A brute-force technique used by attackers who generate and test a large volume of possible passwords based on a certain pattern in hopes of gaining unauthorized access to a system or account

 

Liveness detection and deepfakes

It is worth breaking out deepfakes for further discussion, as this deep learning-based technology is radically transforming the threat landscape. Essentially, a deepfake is a form of biometric spoofing, where one person’s likeness can be digitally manipulated and replaced convincingly by that of another.

 

With this technology, it becomes much easier to steal someone’s identity and impersonate them, or create a new synthetic identity. Where before, a fraudster might have been limited to using photos, videos, masks, or other artificial replicas of synthetic biometric data, it is now possible to present a very convincing digital fake that is much more difficult to identify. Existing liveness detection providers will therefore need to develop advanced detection capabilities to identify these increasingly sophisticated biometric spoofing methods.

Liveness detection should be just one aspect of an organization’s comprehensive identity verification system. This method can enhance existing identity proofing methods, though it is not enough on its own to prevent fraud.

 

Organizations need to use other identity verification methods to confirm the user is who they claim to be. Then, liveness detection is an additional layer of security that proves the user is a living person who possesses the identity.

 

Liveness detection is particularly beneficial when it comes to preventing account takeover (ATO) fraud or new account fraud. It helps organizations ensure that only live humans who are physically present are able to create new accounts or access a system or application, not a fraudulent actor using a false replica of a biometric sample.

 

One of the common security breaches that liveness detection can prevent is when a fraudster uses a stolen or synthetic identity to open up a loan or credit card using the victim’s information. 

 

In this case, a robust identity verification solution, in which liveness checks play an important role, can thwart their attempt since they will be unable to prove in real time that they are the individual that they are trying to impersonate. Not only does this protect identity theft victims from further damages, but it can help financial institutions avoid devastating economic and reputational loss.

Again, liveness detection offers an important layer of security for account registration and identity authentication. These are some of the specific benefits that this security method provides:

 

Increase Security

Liveness checks make it harder for fraudsters to bypass authentication, helping to enhance security. This is the primary benefit of liveness detection, as it can help bolster an organization’s comprehensive identity verification protocols, making their online systems and applications more secure.

 

Reduce Fraud

Additionally, a liveness check can help to reduce fraud, which can be costly for an organization as well as lead to reputational damage. After all, if the cybercriminal is not allowed to access a system at the point of authentication or account creation, they cannot use the account to commit fraud by, say, making a financial transfer or opening a new line of credit.

 

Again, the main purpose of liveness detection is to prevent fraudsters from being able to replicate or spoof an account holder’s biometric data for system access. In other words, they should be unable to bypass security simply by using a high-quality image or video of the authorized user’s fingerprints, face, or voice during identity verification. If they can’t get in, they can’t cause financial damage.

 

Improved Trust

Lastly, since liveness detection offers better security and prevents fraud and data breaches, it can foster better trust with customers of retailers, ecommerce stores, and financial institutions.

 

In turn, customers feel more confident to make online transactions or interact with an organization with the understanding that their sensitive data is properly safeguarded and protected.

Though liveness checks are seen as the safeguard against fraud for biometric authentication, organizations shouldn’t give themselves a false sense of security just because they’ve implemented this method.

 

They still need to understand how to mitigate spoofing risks to ensure liveness detection can be effective.

 

Presentation attack spoof attempts aim to deceive liveness detection tests with high-quality replicas of biometric data like a video replay or high-quality photo of a person’s face or other biometric traits.

 

To combat this, many liveness detection systems will leverage a combination of the techniques we described earlier (3D depth sensing, motion analysis, etc.) to come to an informed conclusion about whether the authorized user is being spoofed or not.

 

So, even though liveness detection tests can be spoofed, using multiple techniques simultaneously will help systems accurately verify a user’s identity and ensure they are live and present during access attempts.

Liveness detection is highly versatile and can be used in nearly all industries to help enhance the security of account registration and identity verification.

 

Namely, companies can curb the risk of fraud and safeguard user accounts and data with liveness detection. Organizations can use liveness detection with document authN for basic identity proofing during onboarding, password resets, log-in attempts, and other notable actions or requests.

 

For instance, let’s say you’re a banking client and you want to send a $100,000 wire. This might hit a certain threshold set by the bank, requiring you to prove your identity with biometric authentication before the transaction can be completed. When liveness detection is in place, the system will ensure you’re actually present to provide your biometric sample before the wire is sent.

 

As technology advances and fraudsters’ spoofing abilities become more sophisticated, the application of liveness detection will only grow in significance. In certain cases, it will be increasingly used to enhance physical access control, integrating into existing systems so only authorized individuals can gain entry to secure areas.

 

Similarly, it might be used to secure remote transactions as more business moves online. Liveness detection can confirm the identity of users in real time, mitigating the risk of account takeover fraud or unauthorized transactions.

 

Machine Learning Integration

There is an important application of machine learning (ML) in liveness detection technology. These adaptive models can learn from new data in real time, constantly evolving to new threats and attack methods. 

 

In the context of liveness detection for biometric authentication, machine learning algorithms can effectively track patterns of behavior like facial movements and vocal intonation to determine what’s “normal” and expected, or signs of replication or spoof.

 

Integration with Biometric Authentication

As we have discussed throughout, liveness detection must be used in combination with other identity verification methods, including biometric authentication, for enhanced security. This allows organizations to prove that the user possesses the proper biometric traits to verify their identity and that they are physically alive and present at the time of authentication.

Implementing Ethical and Legal Standards

There should be ethical and legal standards in place when using liveness detection strategies. This will ensure that these practices are aligned with broader principles of privacy and consent, and are not infringing upon individuals’ rights.

 

Data Security and Storage Compliance

Businesses need to handle and store liveness data appropriately to stay compliant with data security and privacy regulations. This might include the use of robust encryption, access controls, and secure storage to keep biometric data safe and secure from unauthorized access.

 

User Consent and Transparency

Obtain user consent in accordance with regulations before engaging in liveness checks. Transparency is highly important when it comes to how businesses collect, use, and store sensitive user information like biometric data. So, they need to keep users informed about their liveness detection practices and how their data will be used beforehand.

 

Regular Audits and Assessments

Conduct regular audits and assessments of liveness detection practices to ensure ongoing compliance with industry standards. Perform internal reviews of how biometric data is handled, the security of the storage systems, and user consent procedures to identify possible areas of noncompliance.

 

Adapting to Evolving Standards

Data security and privacy regulations constantly evolve as consumer expectations shift and technological capabilities continue to develop. The dynamic regulatory environment means businesses must stay agile and adapt their liveness detection practices to new or revised standards.

Liveness detection plays an important role in your overall identity proofing system, allowing you to fight against spoof attacks and strengthen biometric authentication. 

 

Through a combination of techniques like motion analysis and challenge and response tests, liveness checks can keep fraudsters from bypassing security with false or impersonated biometric samples.

Maya Ogranovitch Scott and Adam Preis of Ping Identity explore the evolving landscape of AI threats, share new research around how IT and security decision-makers are arming themselves to combat them, and recommend best practices to stay ahead of the curve and ensure your organization is protected in an increasingly AI-driven world.