Anyone concerned with evolving dangers in identity management should take note of a recent study from the University of North Carolina. The research showed that creating 3D faces from photos found online could be sufficient to defeat facial recognition systems.

What did the research involve?

The researchers developed a virtual reality-based attack capable of accurately reproducing faces to trick face authentication systems. They stated in “Virtual U: Defeating Face Liveness Detection by Building Virtual Models from Your Public Photos” that “the ability of an adversary to recover an individual’s facial characteristics through online photos” represented an “immediate and very serious threat.”

The attack that the researchers created was able to bypass “existing defences of liveness detection and motion consistency.” They added that such “VR-based spoofing attacks… point to serious weaknesses in camera-based authentication systems.”

The researchers’ approach was much like an attacker or stalker’s might be. They browsed social media and ran online image searches for the 20 participants. In the process, they found that 19 participants had between three and 27 images of themselves posted online. They then used these to create 3D face models, patching in any missing areas or textures. Other tweaks ranged from gaze correction to the addition of facial animations such as smiling and frowning.

How the 3D faces fooled the authentication systems

According to those carrying out the study, “in the VR system, the synthetic 3D face of the user is displayed on the screen of the VR device, and as the device rotates and translates in the real world, the 3D face moves accordingly. To an observing face authentication system, the depth and motion cues of the display exactly match what would be expected for a human face.”

Tests using photos found online, as well as using an indoor headshot of each participant, saw a measure of success. The study used the 3D renders against five face authentication systems.

When presented with 3D renders made from the indoor headshots, all of these systems failed. The attack recorded varying success rates, however, when spoofing faces from social media photos.

Another sign of the importance of multi-factor authentication

Such study outcomes should affirm that multi-factor authentication with liveness detection is the safest and most secure approach to biometrics. SmilePass specialises in both, as part of its comprehensive and robust identity management service for businesses.