Artificial intelligence (AI) is currently a hot topic of discussion across many sectors and industries. Many experts warn against its reckless use and highlight its downsides, such as bias and discrimination, security risks and data breaches, possible job losses and issues relating to liability. On the other hand, the list of benefits is at least as long. In addition to the possibilities for automating workflows, improving data analysis advances in R&D, and much more, AI offers a range of advantages regarding authentication. Particularly in the area of biometric identification, development is progressing rapidly. When combined with other security mechanisms, such as two-factor authentication (2FA), AI can offer improved security. Furthermore, using AI makes it possible to analyse customer preferences and behaviour patterns to provide personalised user experiences. Possibly the best-known application of biometrics in combination with AI is facial recognition. Read this latest blog post to learn how it works and what tricks cybercriminals use to outsmart it:
How facial recognition works
The operating principle of facial recognition can be broken down into several steps. The first step is to take a photograph, which must be of good quality. This is often also achieved by using several viewing angles. Important facial features, such as the eyes, are then localised and extracted. The characteristic features are then transformed into templates with the help of mathematical vectors or by a process called ‘face embedding’.
Different methods can be combined to guarantee secure authentication. Three examples of possible methods are listed below:
- Template matching
This method specifies areas of the face, such as the eye or nose sections, which are then localised in the face of the person who wants to authenticate themselves. These features are then mathematically combined with the reference photo, and the similarities of the areas are calculated.
- Elastic graph matching
This method superimposes a grid over the face. The grid includes characteristic features and is adapted to the face. The nodal points in the grid can be used to identify features not altered by facial expressions.
- 3D facial recognition
Here, special 3D cameras or infrared scanners recognise three-dimensional facial characteristics. This method is particularly robust against deep fake attacks.
Which of these methods is ultimately used depends on a range of factors, such as the capabilities of the terminal device or the security requirements of the authentication procedure in question. In many cases, a combination of different methods is used to make facial recognition more reliable and secure.
Face off: the different faces of cybercriminals
Although biometric procedures are highly secure, criminals have developed methods of outsmarting and deceiving authentication systems.
After all, biometric data is only as secure as the systems in which it is stored. The security of data transmission also plays an important role. As with every transmission of sensitive data, it must be performed via encrypted channels. It is a fallacy that biometric data cannot be duplicated.
Large amounts of biometric data are published every day on the dark web. But that's not all: cybercriminals can use photos posted on social media platforms to create deep fakes. If these are used to open an account, for instance, remote identification methods can be deceived.
Recent years have seen the development of various AI-based methods of manipulating faces in videos. These make it possible, for example, to replace faces (face swapping), control facial expressions and movements (face reenactment) or generate synthetic identities. According to estimates by official bodies such as Germany's Federal Office for Information Security (BSI), these types of attacks can be very promising for cybercriminals. A report published by Europol also mentions deep fakes and forgeries of facial images as a particular cause of concern, given the rapid pace of development in this area.
Multi-level authentication methods offer maximum security
Basic security practices can help prevent deep fake forgeries. What’s more, most of these videos are not yet particularly sophisticated. Thus, facial movements tend to be jerky; the person blinks erratically or not at all and their skin colour changes. The videos also contain visible transitions, sharp contours are blurred or facial expressions are limited, and the lighting is inconsistent.
To protect against deep fake attacks, organisations must not only provide training and awareness-raising measures for employees but should also ensure adequate protection of accounts. In the event of a large-scale attack, cybercriminals should only gain access to one account and not to all others.
Multi-factor authentication, which requires more than one factor from users attempting to log into an account, is a suitable choice for providing a high degree of security. Downstream authentication methods such as adaptive or risk authentication also help provide greater protection.