Facing the future
November 2017, This Week's Editor's Pick, Access Control & Identity Management, IT infrastructure
If there is one area of the security industry that shows how the industry has advanced technologically, it would arguably be the area of facial recognition. Far from the days when a photograph or even a printout of a face could fool a reader into verifying an identity, today’s facial recognition systems have advanced significantly.
To be sure, of the many facial recognition solutions on the market, there are many that are still poor identity authentication mechanisms and should be avoided in professional settings. Yet the leading providers have taken the discipline of facial recognition to new heights of fast and accurate recognition, along with the ability to do 3D scanning and more in order to detect if someone is trying to fool the system with a picture or a mask.
Facial recognition also makes many people nervous. China will be rolling out an insanely broad facial recognition system over a number of years that will be able to recognise people wherever they may be, which naturally also leads to privacy and security concerns. We’ll see similar projects in the Middle East soon as well, along with projects that aren’t spoken as much of in First World countries.
Getting back to the access and identity market, Hi-Tech Security Solutions asked a couple of companies driving the development of this technology for their input into what is happening in the facial recognition arena, as well as some of the touchy issues this technology is bound to highlight.
Fake face anxiety
The issue of faking facial identity is very relevant today. While we happily leave our fingerprint everywhere we go, the fact that our face is ‘out there’ and caught on multiple cameras every day seems not to bother us. What are modern facial biometric readers doing to avoid being tricked with fake faces or to ensure the face they verifying is actually alive?
Walter Rautenbach, MD of neaMetrics, says there are several different technologies out there ranging from 3D imaging, facial thermogram, facial vein, infrared depth analysis, image analysis and machine learning based classifiers. Some of these technologies, like 3D imaging, require expensive hardware, making it unfeasible for practical use, and conventional algorithm-based methods using 2D images, which up to now have not been accurate, require exhaustive calculations/computing power.
“Certain software based solutions monitor facial changes and might even ask you to wink or smile and use the changes of the facial architecture to see if it is a live face,” he adds. “Using these techniques in isolation is not effective since, for example, a video can simulate a smile or wink. It is for this reason that fake face detection that works makes use of a combination of techniques to make the life of the hacker more difficult.”
ViRDI SA’s Deon Janse van Rensburg, adds that many companies are using dual extraction i.e. colour and infrared cameras to extract facial features. This helps with the normal challenges such as light conditions, facial changes, weight gain/loss etc. A few companies are using 3D extraction technology, although this has very high processing requirements which are not always ideal for access control applications. If one looks at CCTV for instance, the facial recognition systems require full blown XEON-based servers. This is obviously an issue for access control since the object of using biometrics is speed with security, and server based authentication is not optimal.
“ViRDI utilises an extraction technology based on 3D geometry with isometrics on an Android platform, which allows for the use of larger CPUs,” he explains. “This extraction technology allows for the system to look for curvature of the facial features, which is very difficult to fake. It’s not impossible, but very difficult. ViRDI then uses infrared (IR) technology as supplementary to the 3D geometry since high quality images have little or no IR signature.”
Is it reliable?
With so many options to choose from, and with the knowledge that the more accurate methods of recognition require significant processing power, the question arises as to whether facial recognition is at a level where it can be used for identity authentication as easily and reliably as, for example, a fingerprint? Alternatively, is it at a level where it could be used as part of a multimodal biometric solution?
Our two interviewees differ on this question. Janse van Rensburg says no. “Although facial recognition has come a long way in the last few years, the Equal Error Rate (EER) is nowhere close to where fingerprint biometrics are. There are simply too many false positives to be as reliable as fingerprint systems.
“Lighting conditions, facial changes, facial hair, skin tone, etc. all play a major role. I recently saw a CCTV-based facial recognition that has a very good EER, but the cost involved in the system may not make it commercially viable. In access control, it is advisable that a multifactor authentication process is used (for example, card and face or fingerprint and face, since a 1:1 comparison makes it easier for the system to authenticate a user.”
Rautenbach, on the other hand, is more positive. “Facial recognition techniques have dramatically improved. I have some personal doubts about Apple’s claims of facial being 50 times more unique than fingerprints. If these claims are true then one can only hope this technology finds its way to the general market outside of their silo.
“In the meantime, we believe that facial identification is an effective means for databases sized between 3000 and 30 000, depending on the type of technology implemented. The accuracy and confidence in facial identification accuracy can be seen in the Suprema stable where database sizes for access control terminals increased by 300% over the past few years.
“With access control you cannot have uncertainty and mistakes can cause great brand damage. Accuracy in 1:1 mode, as seen in multifactor authentication when used with a card, for example, is very secure. In the same breath, all technologies are not made equal and it is extremely important to select a proven brand where fake face detection is not an optional feature when it comes to securing your facility.”
He agrees with Janse van Rensburg that using multifactor biometrics is always more secure as you need to get through two layers. However, he adds that with the accuracy of individual modalities these days it is difficult to justify the additional cost. “Most multimodal biometric systems use the two modalities with fusion scoring, meaning for example that if a proper finger cannot be captured, but face confidence is 90%, then access is granted. So it is still multimodal, but instead of making use of the ‘more secure’ benefit of multimodal, it makes use of the ‘more effective’ qualities.”
A bit of bad behaviour
When it comes to multiple forms of biometrics or identification being used at the same time to improves security, it seems pertinent to look at another ‘future’ technology that may fit perfectly with facial recognition – behavioural biometrics.
Behavioural biometrics is both new and old. Humans have been making conscious and unconscious decisions using it since we appeared on earth. We get a ‘gut feeling’ about someone, or we think they are acting suspiciously – something control room operators should be trained to spot. Today, behavioural biometrics has become something computers are being programmed to do to assist in video analytics, for example.
The idea is that instead of verifying an identity at the start of a transaction, such as logging into a computer or entering a premises, the machines will be able to identify a person by their regular behaviour or habits. This has proved an accurate way of identification when looking at the way people type, for example – after typing a few words, it is possible to accurately identify the typist.
Behavioural biometrics will supposedly be a way in which we can continually verify an identity, ensuring that the person typing on a computer is who they claim, for example. Similar options exist for analysing the way people walk, talk and a host of other behaviours. When we take the potential of facial recognition, being able to identify people walking down the street or approaching a boarding gate at an airport, etc., and add behavioural characteristics to that, the opportunities for constant identification are enormous – and rather terrifying. Of course, as noted, facial recognition is its own form of continuous verification if one can rely on the various cameras used in monitoring operations.
Rautenbach says facial biometrics is ideal for continuous authentication and logical authentication. “There are several providers of such solutions and I have personally been using FastAccess from SensibleVision since 2010 – and I was not an early adopter.
“The convenience this creates is that I don’t have to worry about exposing open confidential documents on my computer and should my computer not see me for a minute, it will lock my screen. It also allows for easily switching between multiple profiles, which is very handy when my daughter wants to access her apps on my mobile without me having to fear that she will be sending unsolicited ‘heart eye’ emojis to strangers, ex colleagues or staff. The only real problem experienced is the influence of light on the camera as well as some hiccups when I added additional monitors to my laptop, which caused it to lock me out because I am was not giving my main screen, with the camera, enough attention.”
He notes that another behavioural biometric that is receiving headlines is wearable heart rate monitors, be it dedicated or standard gear. It is being advertised as a more secure and effective way to control authentication.
Janse van Rensburg says we’re dipping our toes into the murky waters of artificial intelligence here. “Certainly facial recognition systems can be used in behavioural biometric solutions since the face is the easiest way of determining behaviour. Law enforcement have been using the technique for decades (if not longer) and although there is no scientific basis for something like physiognomy [the facial features held to show qualities of mind or character by their configuration or expression, according to Merriam-Webster] it is acknowledged that facial expressions etc. can indicate behaviour.
“The issue here is that humans are intelligent beings that can ‘sense’ nuance, and should facial recognition be used as a behavioural biometric, what intelligence should the device possess to be able to use facial as a behavioural metric? Another question would be, how far are we from having a fully autonomous AI that can perform such a function? Google has experimented with AI and recently had to delete one of their AI programs due to the fact that it quickly ‘learned’ biased racial attitudes towards certain Google users.
“Is it possible to use facial recognition as a behavioural biometric? Sure. Will it be in the foreseeable future? I rather doubt it.”
As for facial recognition being used as a secure logical authentication mechanism, he again says the jury is still out on that. “For many years a freeware program called KeyLemon has been available that allows PC users to unlock their PCs by using the webcam and the results haven’t been stellar.
“Recently Microsoft incorporated facial recognition into Windows Hello that is available on selected laptops (Windows Hello requires a dual webcam setup) and the comments I’ve seen on this feature on the developer forums have been a mixed bag ranging from excellent to downright disappointment. From a ViRDI point of view we certainly aren’t expending any energy in developing our facial recognition for such an application and, quite frankly, we’ve had little request for facial recognition bespoke development, unlike with fingerprint biometrics.”
Nevertheless, ViRDI is not slacking when it comes to advancing its facial recognition solutions. Its AC7000 is a multimodal biometric device that uses 3D geometry with isometric facial recognition, fingerprint recognition, dual proximity card reader and a keypad all based on the Android architecture.
Second generation facial recognition
Suprema is now on its second generation facial recognition terminal. Rautenbach says FaceStation 2, launched earlier this year, includes a more advanced algorithm, performs 3000 identifications in less than a second and overcomes the influence of external light with operation possible in conditions up to 25 000 lux.
Suprema’s Live Face Detection technology combines cutting-edge technology with advanced proprietary algorithms. A dual camera system captures both visible and IR images which are then processed using advanced image analysis techniques and intelligent machine learning based classifiers. A fake face is detected by estimating specific features and their distribution compared with reference models of real faces.
“In the enterprise identity solution division as well as the BioRugged mobile biometric terminals, we use an array of specialised facial ICAO and facial identification libraries. In most of these solutions, facial technology is used as part of multimodal configurations as well as performing 1:1 matching against provided ID document images.
Facial identification is also extremely popular for user authentication and monitoring if a user’s session should remain active or not. The traditional use of facial for visual verification on ID cards also remains prominent where humans do the biometric matching and therefore the importance of ICAO standards remain key to ensure quality portrait capture. Capturing ICAO standard portraits uses the same type of techniques internally as facial identification, to measure facial dimensions, proportions, positioning and gestures to ensure compliance.
The question of privacy
When considering the implications of facial biometrics alone, and even more so when including behavioural biometrics, the question of privacy naturally becomes more important.
Rautenbach explains that the standard legal terms when it comes to exclusions of confidentiality include ‘any part of such information which is or becomes public knowledge and in the public domain…’
“When I then enter a private property or public space, especially where it indicates that surveillance is present, will I really have any claim on intrusion of my privacy? I think there is a reason why burglars wear masks and if one is really concerned about this then one will have to take the same measures.”
However, he says that a clear differentiation needs to be made between dedicated facial recognition devices, which include special hardware to perform strong identification, and facial recognition performed on video data. The latter is not as accurate, but definitely easier to collect, process and mine.
“Applying this ‘surveillance facial recognition’ for applications such as public security is nothing new as video is generally recorded to identify persons committing a crime or behaving oddly, with the only difference being that the identification of individuals with facial recognition is now automated. This is where AI is going and there will still be many debates on privacy concerns.”
Fortunately for the victims of such pervasive surveillance, organisations that collect video data, including or excluding facial recognition, will have to comply with regulations such as PoPI and will have to show that the data is used for the purpose advertised and only accessed by those authorised to use the data for that purpose.
Taking a more philosophical view, Janse van Rensburg says, “biometrics, and specifically facial recognition biometrics certainly touches on one of the more sensitive moral and ethical conundrums of our time. With the advancement in technology in the last 60 odd years, we are faced with a mixture of the worst portions of ‘1984’ and ‘Atlas Shrugged’ as governments and the private sector have intruded more and more into our lives.
“The question we have to ask is, what is better for the greater good? We as humans have never experienced the levels of terror we are currently experiencing. Terrorism is highly organised, highly funded and can strike anywhere at any time. If the terror of the 1980s taught us one thing, it is that certain individuals need monitoring, but where to draw the line? Who gets monitored and who doesn’t?
“China is busy with a multi-decade project where every citizen will have his or her biometric data on a database – including their faces – and they can be monitored and identified at any time in any location that has a CCTV camera. Is this the type of society we want to live in? Terrorism may not allow us the luxury of such philosophical questions.
“Personally, I’m a proponent of biometrics as long as the biometric data is strictly controlled, managed and used only for the purpose of keeping law-abiding citizens safe. Government and corporations however, being run by humans with human vices, may not toe this line.”
For more information contact:
neaMetrics, 0861 632 638, email@example.com, www.neametrics.com
ViRDI Distribution, +27 (0)11 454 6006, firstname.lastname@example.org, www.virditech.co.za