In the digital age, onboarding users to financial platforms invites a new set of complexities. Traditionally, if you wanted to open a bank account in person, you'd encounter few issues satisfying identity requirements. You'd simply enter a bank branch and provide a banker with proper identification, thereby allowing them to assess whether the identification matches the human standing before them. Provided you did this while you were still alive and breathing, you'd have no problem proving your liveness. In today's online world, organizations have to craft KYC onboarding experiences that balance friction and accuracy, still with the end goal of proving a prospective user is real and not a manufactured identity. The heart of online liveness detection boils down to two questions: 1) Is this the right person? 2) Is this a live person?
In this post, we'll take a brief look at the core concepts of liveness, popular frameworks companies employ, and best practices for proving liveness in the digital age.
Biometrics
In any discussion about liveness detection, it's common to hear the term biometrics come up. Biometrics are simply any unique physical characteristics that can be used for automated recognitions. While we've become accustomed to modern biometric implementations such as facial recognition, neural network face mapping, and AI image processing, many rustic biometric indicators, such as fingerprinting, have been in use for decades. Footprint even takes its name from the practice of recording a newborn's footprints on its birth certificate!
Liveness Checks in the Digital Age
Today it's common to see companies make use of advanced biometric technology to provide liveness as part of their digital onboarding. If you've ever taken a selfie when creating an account on an app or held up your driver's license next to your face for a snapshot, those are all different ways to certify liveness. Liveness is categorized into two buckets: passive liveness and active liveness. Passive liveness, as its name suggests, does not require much action from a user. Most commonly, the input for passive liveness detection is a selfie.
In contrast, active liveness requires user participation, often in the form of challenges and or movement. If you've ever been asked to smile, turn your face from side to side, or record a short video - as part of an onboarding experience - you've participated in active liveness. As a best practice for active liveness checks, companies will ensure the challenges put forth to the user have been randomized, to cut down on the spoofing from pre-recorded video.
The next step under both a passive and active liveness check is for the company to analyze the inputs and make a determination. Companies will perform various types of image (or video) analyses including (but not limited to) deep machine learning, 3D depth analysis, texture analysis, sensing technique, distortion analysis, and algorithmic templating analysis. If a liveness check passes, users can then continue the onboarding process.
Organizations must consider both the user experience and security when deciding which liveness detection methods to employ. Asking users to perform random tasks can be cumbersome (e.g. having to perfect the angle one holds their phone to capture the biometric) and if not well-integrated may result in increased abandonment rates. Conversely, implementing less stringent biometric checks may make your experience more susceptible to spoofing, thereby opening the floodgates to bad actors. Organizations must seek the optimal balance between friction and fidelity when crafting onboarding experiences.
Complexities Remain as Fraudsters Evolve
Despite the progress that's been made to harness biometrics for liveness checks and identity verification, some frameworks are still susceptible to fraudulent attacks. Selfie checks can be targets for face swaps, where a bad actor acquires a photo of a would-be user (oftentimes through social media) and then uses it (or a manufactured 2D model) to swap in for their face. Deepfakes and video attacks are similar. On a passive liveness check, a target's face can be copied onto an ID card and scanned. For active liveness checks, a video of a target can be edited and reanimated to create realistic representations of the target performing the requested challenges. Some bad actors even go so far as to create 3D models and masks to aid in impersonation attempts. While modern technology has significantly increased accuracy in digital liveness detection it's not foolproof and companies should consider all avenues of increasing the veracity of their onboarding experience.
A Better Way to Harness Biometrics Liveness
When it comes to proving liveness, the power of biometrics can be greatly amplified when it's married with other verifiable data in the ecosystem. A great example of this is companies like Google, Microsoft, and Apple using biometric facial data that can be stored securely, and uniquely mapped to a user's device. Notably, Apple's technology adheres to this FIDO standard, allowing for seamless authentication through Face ID. When a user enables Face ID on an iPhone, successive uses of this biometric will produce a device attestation, certifying that facial recognition has occurred on the original, non-jailbroken device. You can then take that attestation and marry it with other verifiable determinations from the device - such as an individual's physical location or phone number. This triangulation gives you even greater credibility that the user is 1) the right person and 2) alive. We built Footprint on top of these exact security protocols to make onboarding secure and frictionless for companies and end users alike.