Biometric system on mobile phone

I work in the field of biometric technologies and I want to describe one of the solutions that claims to be firmly in our everyday life in the near future. This is a bimetric user authentication system, which can be used on any modern smartphone, and which is designed for convenient (!) And reliable access control to various mobile services, such as banking, medical, and any other applications.

In recent years, an increasing number of companies are using the capabilities of the Internet to provide their services. As a rule, the architecture of such applications is the use of the “thin client” technology, which involves the centralized storage of client data and providing access to them only on special request. A client using a remote terminal (it can be a regular laptop, tablet or smartphone) and a special program or standard web browser can view and change information on a remote server.

To ensure the security of the transmitted data, SSL (Secure Sockets Layer) protocol is usually used. In addition, if the system is an application, access to it can be protected with a login and password. To enhance security, an EDS (Electronic Digital Signature) can be used - a binary data sequence generated by a cryptographic algorithm.
')
Unfortunately, customers often store access data directly on a laptop or smartphone, and if it is lost or stolen, third parties can easily access the services. Another disadvantage of passwords or EDS is the low ease of use - the need to remember the password or store the EDS file on a separate carrier. That is why biometric technologies are beginning to enter the security access market.

Biometric characteristics are unique for each person and with proper use they are very difficult to fake. Today, the most widely used biometric characteristics such as fingerprints, DNA, iris, facial image and voice. From the perspective of the above problem of confirming identity when using a mobile phone, the most suitable technologies are face and voice biometrics. And there are several arguments to this:

• Voice and face samples are easy to obtain “at home”, absolutely no special skills are required for this;
• to obtain voice and face samples, no special equipment is required - the photo is taken using the camera, and the voice is recorded through the microphone of the smartphone;
• Face photo and voice recording are simple and understandable to any person things, so the technology is easily perceived.

It should be noted that most recently, the biometric identification systems for voice and face had significantly worse performance (accuracy of identification, size of the biometric model, etc.), compared with, for example, fingerprint biometrics. However, over the past few years, significant advances have been made in the development of automatic classification methods and machine learning, which brought the performance characteristics of these modalities closer to others:

Biometric feature	Test	Test conditions	FRR	FAR
Fingerprints	FVC 2006	heterogeneous population, including manual workers and the elderly	2.2%	2.2%
Face	MBE 2010	police base of photos	4.0%	0.1%
Voice (MDG LLC)	NIST 2012	text independent recognition	3%	one%
Iris of the eye	ICE 2006	controlled lighting, wide range of quality	1.1%	0.1%

OnePass Mobile Authentication Solution

The OnePass bimodal access solution we are working on is multi-factor user authentication, which includes 3 main components:

1. verification by face;
2. verification by static passphrase;
3. presence detector.

Voice verification is based on the use of a fixed passphrase. At the registration stage in OnePass, the system offers the user a short password or a hint, for example, “Speak your last name and first name”. The phrase must be repeated 3 times - this is how maximum reliability is achieved and the pronunciation variability is assessed. At the verification stage, a password also appears on the screen, which is enough to be spoken only once. Using the tooltip allows you not to store or remember the password.

Face verification is performed “on the fly” - at the time the user utters the password phrase. In this case, the image of the user's face is displayed on the screen of a laptop or smartphone, which facilitates the positioning of the camera. For registration and verification only one image is enough.

A bimodal solution is a synthesis of the results obtained in the course of voice and facial verification. The processing of these modules results in mathematical probabilities of the P _Voice and P _Face similarity of the user's reference sample to the audio / video stream received at the input. Based on these values, a bimodal verification probability is calculated.

The presence detector allows you to determine whether there is a live person in front of the camera or its image. The basic principle of operation is based on recording the image of a user's face in the process of pronouncing a voice password and determining changes in facial characteristics of a person. Generally speaking, this algorithm deserves special attention because it protects the “Achilles' heel” of biometric systems — namely, from hacking attempts using a photo or a video recording. This is a direction that is closely related to biometrics and is known in the West by the term Liveness detection. In the future, I will tell you more about it.

The decision to access the user in OnePass is a logic that takes into account the results of all modules of the authentication system. A positive decision (access granting) is made when all of the following conditions are met:

1. The probability of similarity of the user with the standard according to the results of bimodal verification is greater than the threshold value.
2. The presence detector in the face has decided that there is a living person in front of the device, and not a dummy or photograph.
3. The presence detector by voice (in case it is used) has decided that the voice belongs to the Client of the system.

The OnePass solution for the mobile platform has an interface operating in two modes: registration and verification of the Client. We tried to make them as convenient and fast as possible:

• face verification is done by pressing a single button (hence the name of the OnePass solution); for convenience, the positioning of the face is a mirror image from the camera on the screen;
• voice verification is launched automatically in parallel with face verification, voice recording is also completed automatically;
• in the process of pronouncing the password phrase, the presence of the user is detected based on the analysis of facial changes of the face;
• all data is processed in parallel mode, which allows you to get the result immediately after pronouncing the password phrase;
• the presence of a voice password prompt does not require its storage or memorization

Bimodal authentication reliability

Accurate assessment of the reliability of the application is very important, because the probability of a system error will depend on the degree of user confidence in the system, as well as the potential loss of the Client when hacking the biometric system.

The main indicators of the reliability of the biometric system are the 1st and 2nd kind errors: False Rejection Rate (FRR) and False Acceptance Rate (FAR). Some additional information can be found here: Criteria for assessing the reliability of biometric systems .

We tested the reliability of the solution not only on well-known speech and facial databases ( YOHO , RSR2015 , FERET , MOBIO ), but also the databases provided by our customers, one of which was a large US bank. For testing used smartphones Samsung Galaxy Note II, S3 and S4.

To assess the accuracy of any biometric system, it is customary to use characteristic curves: ROC (Receiver Operating Characteristic) or DET (Detection error tradeoff), which establish the relationship between the FRR and FAR errors. For the OnePass bimodal solution, we got the following DET curve:



Further, the entire system was tested (a bimodal solution and a live user presence detection module) in two scenarios:

1. The attacker does not have a record / image of the Client
2. The attacker has a record / image of the client

The result is presented in the table:

Bimodal verification threshold	Fault Error (FR)	False skip error (FA), the Malefactor has no Client record / image	False skip error (FA), the Malefactor has an entry / image of the Client
0.3	1.85%	0.129%	8.00%
0.5	2.08%	0.021%	7.99%
0.7	3.63%	0.004%	7.86%

To summarize, these are very good indicators for a biometric system operating in real conditions, especially considering the hacking scenario using a photo. Currently, OnePass is being tested in one of the US banks to protect access to Internet banking, and the demonstrated results meet customer expectations. By combining the functions of bimodal authentication and liveness detection, the solution meets the opposite requirements of business and security services and has good prospects for expanding the scope.