Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

9/1/2017
09:00 AM
Simon Marshall
Simon Marshall
Simon Marshall
50%
50%

Has Facial Recognition's Time Arrived?

Startup iProov says it has cracked the code on a reliable, secure facial recognition system.

Andrew Bud has quietly cracked the core challenge within facial recognition security. "We've solved the central problem in biometric ID, and we are the only people to have solved it."

It sounds like a surprising claim, because, historically, biometric systems are defeated sooner or later when they try to detect replicas (spoof images) or replays (of video, from a recording). Those systems, when faced with the questions "Is this a real face?" and "Are we seeing this face in real time?" couldn't ultimately answer with any certainty.

Bear with me here because Bud is no ordinary executive. The current founder and CEO of iProov, he graduated in 1982 (with a first in both tripos) with a Masters degree in engineering from Cambridge University in England.

"I like founding industries," he says, and again, it's a claim not without merit.

Indeed, he created Zonephone (a forerunner in the UK of Rabbit) and is the inventor or joint-inventor of multiple mobile technologies, and credited for 13 patents, notably Radio LAN and DECT. For eight years, he was the head of mobile at Olivetti, when the organization was bigger than IBM (technical head at Omnitel Pronto-Italia, now Vodafone Italy). When the mobile industry wanted an industrial mobile payment method, Bud was already ahead of the game as the founder of M-Blox. He's also the co-founder and global chair of the Mobile Entertainment Forum. On top of that, he seemed, well, pretty quiet. Not so.

"I spent a year thinking about how to authenticate a transaction on a hopelessly compromised mobile device," he says. Criminals were able, at the time, to exploit a weakness in the authentication process for SMS mobile payments. By 2013, this had become a $1 billion industry-wide problem. "Then I thought, by extension, how does one really establish trust at a distance?"

The ramifications of that thought process for visual ID, biometrics and countering ID theft, false identity, and personality spoofing were far-reaching. Up until then, software developers had focused on authentication through the ability to match one instance of a face with a known true representation of that face. Bud thinks that premise was flawed from the very beginning.

"Previously, companies looked at how accurately they could try and match that face, but that was all wrong, because attacks are all spoofed. Faces are not a secret, secure credential to begin with, I mean you can find mine easily on LinkedIn. So, the problem is, how do I know you are the real you?"

Essentially, hackers were fooling the process every time, by either visually presenting a spoof face, or taking a snippet of recorded video and presenting it as though it were a live event; if the presented visuals matched the recorded visual closely enough, they were let in. No thought was given to the validity of the face being presented, thoroughly wrecking the plans of biometric authentication companies and causing untold reputation, financial and privacy security damage. But not for Bud.


Want to learn more about the technology and business opportunities and challenges for the cable industry in the commercial services market? Join Light Reading in New York on November 30 for the 11th annual Future of Cable Business Services event. All cable operators and other service providers get in free.

iProov's central innovation (which Bud also holds joint patent credit for) employs a two-stage process which eliminates the threat of spoofing or recorded footage. To gain access, to an app that requires biometric authentication, for example, the subject must present their face to the camera on their mobile device. First the face is illuminated by a uniquely coded color which can tell a real human face from a spoofed CGI representation. Then, a sequence of colors are flashed that specifically rule-out pre-recorded footage. iProov's patented process takes about two to three seconds, all told.

Want to see a quick demo? There was one at Finovate Europe this year, presented, of course, by Bud himself.

The technology has potential from Fintech to everyday password replacement and remote ID authentication. But is it a healthy, impenetrable solution? iProov recently held a six-week hackathon where an external agency was given access-all-areas to kick the tires. According to Bud, no one defeated the system, even though "we saw new attacks coming in that we had up until that point only theorized might be out there."

How does it stay healthy? Bud worries that the prevalence of more vulnerable face-recognition systems is teaching hackers new tricks, since during the learning process before a hack, the hacker remains unobserved. Theory is, if they remain unobserved, they will learn and adapt their strategies, "bank" them, and then deploy them when they can see a maximal business case. There will be no warning and the attack will be very comprehensive and mature.

"In order to observe hackers, the architecture needs to process authentication within the network, on the servers, and not at the device level," he says versus other approaches. This may bring his views into conflict with the FIDO Alliance, which according to Bud, sees such authentication processing as a privacy issue.

iProov is currently focusing on scaling up customer deployments. These include DMB Financial and HMRC (the UK government tax revenue department). It has an opportunistic view on funding, having just in June closed a round of non-equity financial assistance from an undisclosed investor and Microsoft Accelerator London, at an undisclosed valuation.

"I make a point of having a portfolio (of iProov business concepts) that I can use if I get more funding resources. But does iProov need more funding (per se, on that basis)? We have no need for financial assistance." It is understood that iProov is about to close an additional funding round.

Even then, Bud is not done. He has patented a new approach which builds on iProov's core competency with facial recognition and hybridizes it with ICAO9303, which is a standard that guides the use of machine-readable travel documents. So, one could use a mobile device with an NFC chip by tapping a passport to the phone, and authenticating to a requestor that way. The passport ID information is digitally signed, so the systems remains secure and works in theory.

"Verifying ID has a world-building feeling about it," says Bud. He reckons the company will be worth GBP $1 billion ($1.3 billion) within the next five years.

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8225
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
CVE-2020-8237
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
CVE-2020-8245
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
CVE-2020-8246
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...
CVE-2020-8247
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...