Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

9/1/2017
09:00 AM
Simon Marshall
Simon Marshall
Simon Marshall
50%
50%

Has Facial Recognition's Time Arrived?

Startup iProov says it has cracked the code on a reliable, secure facial recognition system.

Andrew Bud has quietly cracked the core challenge within facial recognition security. "We've solved the central problem in biometric ID, and we are the only people to have solved it."

It sounds like a surprising claim, because, historically, biometric systems are defeated sooner or later when they try to detect replicas (spoof images) or replays (of video, from a recording). Those systems, when faced with the questions "Is this a real face?" and "Are we seeing this face in real time?" couldn't ultimately answer with any certainty.

Bear with me here because Bud is no ordinary executive. The current founder and CEO of iProov, he graduated in 1982 (with a first in both tripos) with a Masters degree in engineering from Cambridge University in England.

"I like founding industries," he says, and again, it's a claim not without merit.

Indeed, he created Zonephone (a forerunner in the UK of Rabbit) and is the inventor or joint-inventor of multiple mobile technologies, and credited for 13 patents, notably Radio LAN and DECT. For eight years, he was the head of mobile at Olivetti, when the organization was bigger than IBM (technical head at Omnitel Pronto-Italia, now Vodafone Italy). When the mobile industry wanted an industrial mobile payment method, Bud was already ahead of the game as the founder of M-Blox. He's also the co-founder and global chair of the Mobile Entertainment Forum. On top of that, he seemed, well, pretty quiet. Not so.

"I spent a year thinking about how to authenticate a transaction on a hopelessly compromised mobile device," he says. Criminals were able, at the time, to exploit a weakness in the authentication process for SMS mobile payments. By 2013, this had become a $1 billion industry-wide problem. "Then I thought, by extension, how does one really establish trust at a distance?"

The ramifications of that thought process for visual ID, biometrics and countering ID theft, false identity, and personality spoofing were far-reaching. Up until then, software developers had focused on authentication through the ability to match one instance of a face with a known true representation of that face. Bud thinks that premise was flawed from the very beginning.

"Previously, companies looked at how accurately they could try and match that face, but that was all wrong, because attacks are all spoofed. Faces are not a secret, secure credential to begin with, I mean you can find mine easily on LinkedIn. So, the problem is, how do I know you are the real you?"

Essentially, hackers were fooling the process every time, by either visually presenting a spoof face, or taking a snippet of recorded video and presenting it as though it were a live event; if the presented visuals matched the recorded visual closely enough, they were let in. No thought was given to the validity of the face being presented, thoroughly wrecking the plans of biometric authentication companies and causing untold reputation, financial and privacy security damage. But not for Bud.


Want to learn more about the technology and business opportunities and challenges for the cable industry in the commercial services market? Join Light Reading in New York on November 30 for the 11th annual Future of Cable Business Services event. All cable operators and other service providers get in free.

iProov's central innovation (which Bud also holds joint patent credit for) employs a two-stage process which eliminates the threat of spoofing or recorded footage. To gain access, to an app that requires biometric authentication, for example, the subject must present their face to the camera on their mobile device. First the face is illuminated by a uniquely coded color which can tell a real human face from a spoofed CGI representation. Then, a sequence of colors are flashed that specifically rule-out pre-recorded footage. iProov's patented process takes about two to three seconds, all told.

Want to see a quick demo? There was one at Finovate Europe this year, presented, of course, by Bud himself.

The technology has potential from Fintech to everyday password replacement and remote ID authentication. But is it a healthy, impenetrable solution? iProov recently held a six-week hackathon where an external agency was given access-all-areas to kick the tires. According to Bud, no one defeated the system, even though "we saw new attacks coming in that we had up until that point only theorized might be out there."

How does it stay healthy? Bud worries that the prevalence of more vulnerable face-recognition systems is teaching hackers new tricks, since during the learning process before a hack, the hacker remains unobserved. Theory is, if they remain unobserved, they will learn and adapt their strategies, "bank" them, and then deploy them when they can see a maximal business case. There will be no warning and the attack will be very comprehensive and mature.

"In order to observe hackers, the architecture needs to process authentication within the network, on the servers, and not at the device level," he says versus other approaches. This may bring his views into conflict with the FIDO Alliance, which according to Bud, sees such authentication processing as a privacy issue.

iProov is currently focusing on scaling up customer deployments. These include DMB Financial and HMRC (the UK government tax revenue department). It has an opportunistic view on funding, having just in June closed a round of non-equity financial assistance from an undisclosed investor and Microsoft Accelerator London, at an undisclosed valuation.

"I make a point of having a portfolio (of iProov business concepts) that I can use if I get more funding resources. But does iProov need more funding (per se, on that basis)? We have no need for financial assistance." It is understood that iProov is about to close an additional funding round.

Even then, Bud is not done. He has patented a new approach which builds on iProov's core competency with facial recognition and hybridizes it with ICAO9303, which is a standard that guides the use of machine-readable travel documents. So, one could use a mobile device with an NFC chip by tapping a passport to the phone, and authenticating to a requestor that way. The passport ID information is digitally signed, so the systems remains secure and works in theory.

"Verifying ID has a world-building feeling about it," says Bud. He reckons the company will be worth GBP $1 billion ($1.3 billion) within the next five years.

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20934
PUBLISHED: 2020-11-28
An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed, aka CID-16d51a590a8c.
CVE-2020-29368
PUBLISHED: 2020-11-28
An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check, aka CID-c444eb564fb1.
CVE-2020-29369
PUBLISHED: 2020-11-28
An issue was discovered in mm/mmap.c in the Linux kernel before 5.7.11. There is a race condition between certain expand functions (expand_downwards and expand_upwards) and page-table free operations from an munmap call, aka CID-246c320a8cfe.
CVE-2020-29370
PUBLISHED: 2020-11-28
An issue was discovered in kmem_cache_alloc_bulk in mm/slub.c in the Linux kernel before 5.5.11. The slowpath lacks the required TID increment, aka CID-fd4d9c7d0c71.
CVE-2020-29371
PUBLISHED: 2020-11-28
An issue was discovered in romfs_dev_read in fs/romfs/storage.c in the Linux kernel before 5.8.4. Uninitialized memory leaks to userspace, aka CID-bcf85fcedfdd.