BT/ Vision Pro iris sensor added to Apple’s fingerprint and face authenticators

Paradigm

Follow

Published in

Paradigm

19 min readFeb 12, 2024

--

Biometrics biweekly vol. 82, 29th January — 12th February

TL;DR

Apple’s latest release, the Vision Pro, introduces advanced biometrics technology. Featuring Optic ID iris scanning for authentication, these futuristic goggles offer a blend of iris recognition and password input. Equipped with four eye-tracking cameras, they scan both eyes simultaneously, with adjustable settings for any issues.
Microsoft adding Face Check selfie biometrics to Entra Verified ID
Fingerprint Cards showcases biometric locks for instruments and laptops
Green lights for Intellicheck, BeyondID affirms secure standards for data safety
Privately, ACCS, Idiap, and AVPA join forces to protect age estimation from generative AI
Prepare now for when quantum computers break biometric encryption: Trust Stamp
Smart Engines adds hologram analysis to ID document validation portfolio
LastPass FIDO2 certification, Privakey enterprise SSO boost passwordless access
Jumio streamlines identity verification for Kaizen Gaming
ID. me verifies 50M users while IDnow, Tools for Humanity sign up digital wallet partners
Relai selects Inverid, fintech beef up KYC processes as deepfake threats loom
UNDP, World Bank take stock of digital transformation progress
EU reaches deal on technical details of AI Act, biometric surveillance criticism remains
Moscow, Dubai ramp up biometric payments in public transportation
Indonesia urges massive signup for new digital ID to ease access to public services
Bahrain sees a high uptake of digital ID, CRVS services through online platforms
Tunisia’s biometric ID project is back on the table but advocates want data protection guarantees
Australia’s digital ID may launch in July
Philippines launches new digital ID authentication service, promotes enrollment drive
Socure digital ID platform approved by the state of Texas
Alaska posts RFP for $2M fingerprint biometric processing system
Bahamas, Guyana eye facial recognition surveillance projects to fight crime
India continues its fight against Aadhaar fraud
Germany to mandate biometric photos for documents
Veridos is supplying new digital ID cards for Macau
Judge says TikTok can’t roll related biometric privacy cases into 2022 settlement
A new research paper evaluates liveness detection models for biometric samples, focusing on performance in cross-database scenarios
Biometric industry events. And more!

Biometrics Market

The Biometric system market size is projected to grow from USD 36.6 billion in 2020 to USD 68.6 billion by 2025; it is estimated to grow at a CAGR of 13.4% during the forecast period. The increasing use of biometrics in consumer electronic devices for authentication and identification purposes, the growing need for surveillance and security with the heightened threat of terrorist attacks, and the surging adoption of biometric technology in automotive applications are the major factors propelling the growth of the biometric system market.

Biometric Research & Development

Latest Research:

Measure liveness across datasets helps defend complex real-world attacks: researchers

A new research paper evaluates liveness detection models for biometric samples, focusing on performance in cross-database scenarios.

Liveness detection in cross-database scenarios, the paper says, is “a test paradigm notorious for its complexity and real-world relevance.” “In an era where biometric security serves as a keystone of modern identity verification systems, ensuring the authenticity of these biometric samples is paramount,” it reads.

The authors believe effective liveness detection that can differentiate between genuine biometric samples and sophisticated spoofs is an important tool in meeting this challenge.

The authors’ approach takes a deep dive into various liveness detection models’ performance metrics, including half total error rate (HTER), false acceptance rate (FAR), and false rejection rate (FRR). But the true test for liveness detection mechanisms, they say, is how robust and adaptable they are across diverse scenarios. There can be a wide gap between datasets that liveness detection is trained on and the ones on which it is deployed. For biometric systems, the stakes are especially high: a system trained exclusively on one database might perform flawlessly on that particular data, but falter when met with a different spoofing technique or demographic distribution.

The solution, say the authors, is a cross-database testing paradigm.

The research used five distinct datasets for evaluating face presentation attack detection (PAD). The Custom Silicone Mask Attack Dataset (CSMAD), collected by the Idiap Research Institute, consists of facial biometric data from 14 subjects, including bona fide presentations and custom silicone mask attacks. The 3D Mask Attack Database (3DMAD) contains 76,500 frames of 17 individuals, recorded using a Microsoft Kinect sensor for depth in both genuine access and 3D mask spoofing attacks, including real-size masks obtained through ThatsMyFace.com. Idlap also provided the Multispectral-Spoof Face Spoofing Database (MSSpoof) of VIS and near-infrared (NIR) spectrum images from 21 subjects, and the Replay-Attack Database, a 2D facial video database of 1,300 real access and attack attempt video clips from 50 people under various lighting conditions.

Finally, the authors used their own dataset of more than 4,600 2D facial images and videos taken with smartphones or downloaded from the internet, mainly YouTube.

Of the utilized datasets, 3DMAD yielded the best results in initial testing, demonstrating “impeccable performance across all metrics.” The CSMAD dataset, meanwhile, “posed significant challenges.”

“The variation in performance across datasets underscores the criticality of diverse data representation in training robust liveness detection models,” it says. “While some datasets like 3DMAD show near-perfect results, others like CSMAD reveal potential vulnerabilities. Our findings emphasize the importance of comprehensive evaluations and the necessity of cross-database testing.”
When it came to cross-database testing, “several models exhibiting high efficacy on their native datasets encountered significant challenges when subjected to data from external sources.” This, say the authors, is a red flag showing that models, “if overly tuned or biased towards specific dataset characteristics, may fail to maintain performance parity across broader biometric variations.”

The crux of the paper’s argument is that cross-database testing beyond conventional evaluation methods is necessary to ensure robust and adaptable liveness detection.

“By exposing models to an array of biometric datasets, we unearth indispensable insights into their true robustness and generalization prowess, informing more reliable, secure biometric verification systems for the future,” it says. “While our model exhibited commendable performance in certain scenarios, the inconsistencies observed in cross-database testing illuminate the path for future research. The journey towards perfecting liveness detection is ongoing, replete with challenges yet filled with opportunities. As spoofing techniques evolve, so must our defense mechanisms, making this a perpetually dynamic field of study.”

Main News:

Vision Pro iris sensor added to Apple’s fingerprint and face authenticators

Last week, Apple released its biometrics-heavy Vision Pro to the world. These 3-D goggles are the first time Apple customers have had cause to get giddy since the first iPhone.

For the biometrics industry, the biggest deal is Optic ID iris scanning for authentication. (The goggles, which would not be out of place on the frozen face of a Tauntaun rider, use a combination of iris and/or password to authenticate.) Both eyes are simultaneously scanned by four eye-tracking cameras unless there is an issue with one, in which case settings can be adjusted.

Apple doesn’t say much more about biometrics, but it is more forthcoming about data privacy.

Like with iPhones, personal authentication information is only ever stored on the Vision Pro. Sensitive information from within apps is secured, too. The googles, which run on visionOS, ship with 25 Apple apps, including settings and Safari. Optic ID data is encrypted and shut away only in Apple’s Secure Enclave processor.

That’s the show, but a Bloomberg writer chronicled his experience buying a Vision Pro, which bears reading if someone is on the fence. Getting a nice Tauntaun saddle sounds almost as fun.

Bloomberg

Edit description

www.bloomberg.com

Microsoft adding Face Check selfie biometrics to Entra Verified ID

In a blog post credited to Ankur Patel, head of product for Microsoft Entra Verified ID, the tech giant announced that it is now previewing the Face Check real-time selfie-to-ID face matching tool in its digital ID verification service.

Microsoft Entra Verified ID is based on open standards. The Face Check facial recognition system runs on Azure AI and shares only match results; no sensitive personal identity data is shared outside the transaction. Selfie cam footage is used exclusively to invoke Azure AI services, including the Vision Face API for liveness detection. It is not stored at any point, nor is it shared with the verifier application, which receives a confidence score assessing the likelihood of a match with the reference ID document (e.g. a driver’s license or passport). Following the free preview period, each match transaction performed using Face Check in Verified ID will cost $0.25.

The free preview has already proven attractive to businesses seeking a biometric verification platform from a trusted industry staple. Patel quotes an unnamed representative from BEMO, a cybersecurity and compliance services firm with ties to Microsoft, who says Face Check “can verify the identity of an employee instantly and with high confidence, without trading off between security and compliance.”

Patel’s post includes detailed, step-by-step instructions on how to create a Face Check compatible Verified Workplace Credential and set up a Verified ID account. He says Microsoft Entra Verified ID is planning to extend its API pattern to cover other ID attributes, such as verified work history and legal entity verification, via partnerships with Dun & Bradstreet (DNB), LexisNexis Risk Solutions, and Idemia.

On March 13, the firm will share more on the face matching system at the online Microsoft Secure event, for which registration is now open.

Microsoft Entra Verified ID | Microsoft Security

Build, issue, and verify digital credentials and microcredentials for more secure interactions using Microsoft Entra…

www.microsoft.com

Fingerprint Cards showcases biometric locks for instruments, laptops

Biometric sensor and software provider Fingerprint Cards showcased its biometrically locked music cases as well as the TechLok LapLok device in collaboration with BenjiLock, following an exclusive deal between the two companies, at NAMM Show 2024 and CES 2024.

Fingerprint Cards announced its biometrically-secured “Safe & Sound” instrument cases, created in partnership with BenjiLock and its licensee, instrument case manufacturer TKL Products Corp, were presented at the 2024 NAMM Show in Anaheim, California.

The TKL guitar case’s latches integrate BenjiLock and Fingerprint Cards’ BM-Lite FPC SafeTouch, giving musicians an added layer of security for their instruments.

“For musicians, their instrument is more than just a tool; it’s an extension of themselves,” said Fingerprint Cards CEO Adam Philpott. “We’re thrilled to partner with BenjiLock and TKL to bring the power of biometric security to the music world, providing musicians with the ultimate peace of mind knowing their instruments are always safe and secure.”

The product was showcased during NAMM 2024 last week along with BenjiLock’s Travel Sentry biometric locks, co-branded with TechLok, and its sports locks.

Fingerprint Cards has also collaborated with BenjiLock to create TechLok‘s LapLok security devices at the CES Unveiled 2024. Like the Safe & Sound case, LapLok uses the BM-Lite, FPC SafeTouch module to secure laptops and tablets, which is especially useful in keeping devices secure in public areas.

Green lights for Intellicheck, BeyondID affirm secure standards for data safety

Intellicheck, Inc., the New York-based identity validation SaaS provider to clients in financial services, social media, automotive, law enforcement and identity access management, has passed annual surveillance audits to retain certification for ISO/IEC 27001:2013 and ISO/IEC 27701:2019.

A release from the ID validation and biometrics company says successful completion of the third-party audits means Intellicheck’s platform is certified for another year.

“This achievement is one more validation of the strength of our commitment to our clients, partners, and stakeholders,” says Intellicheck CEO Bryan Lewis, emphasizing the firm’s effort to balance efficiency in customer onboarding with “the utmost standards in data security and privacy” across offerings for KYC, fraud prevention, age verification and other digital identity services.

ISO/IEC 27001:2013, an information security management system standard published in October 2013, validates the strength and efficacy of Intellicheck’s information security management system (ISMS\InfoSec) and Privacy Information Management System (PIMS).

ISO/IEC 27701:2019 is a privacy extension to ISO/IEC 27001:2013, confirming that Intellicheck has implemented security measures and countermeasures using best practices, to protect against unauthorized access or compromise personal identifiable information (PII).

Fellow New York firm BeyondID, which provides passwordless identity management and authentication, issued a release announcing its success in completing the System and Organization Controls 2 Type II (SOC 2 Type II) examination, which affirms the security of BeyondID’s infrastructure, software, data, policies, procedures and operations, and its adherence to practices and controls that meet the Trust Services Principles and Criteria for security, availability and privacy over an extended period.

Conducted by leading cybersecurity assessment firm A-lign, the examination also confirms that BeyondID’s platform is compliant with the Health Insurance Portability and Accountability Act (HIPAA) and can provide a Business Associate Agreement (BAA) ensuring proper handling of personal health information.

“We are proud to achieve HIPAA compliance, ensuring that BeyondID can handle sensitive healthcare data securely,” says Sasi Kelam, co-founder and CTO of BeyondID. “This combination of SOC 2 and HIPAA compliance assures our customers that we take security as seriously as they do.”

Privately, ACCS, Idiap and AVPA join forces to protect age estimation from generative AI

Generative AI services are emerging that can potentially be used to thwart online facial age estimation systems, just as those systems are mandated in a growing number of jurisdictions.

A collaboration between the Age Check Certification Scheme (ACCS), Idiap Research Institute, the Age Verification Providers Association (AVPA) and Privately SA has been announced to develop tools to defend against spoof attacks with generative AI.

The project, referred to by Privately in a LinkedIn post as “Safeguarding Age Estimation and Digital IDs from Emerging Threats Posed by Generative AI,” is funded by a grant from Innovate UK and Innosuisse.

“I think we can all agree, Age Assurance systems are going to be pretty useless if a 12 year old can simply spoof them with an easily available App,” explains ACCS Executive Director Tony Allen in a separate LinkedIn post. “In order to maintain confidence in the efficacy of the systems, we need a suite of test assets (sometimes called a test harness) and agreed protocols and standards for applying those tests.”

Privately brings its experience with biometric age and ID verification systems, while Idiap will contribute its highly-regarded biometrics research expertise. The ACCS is the steward of the UK’s age estimation standards, and the AVPA is the industry’s global advocacy and support organization.

The roadmap for the project begins with comprehensive research and will proceed to “deliver tangible and immediate benefits” for the age estimation sector.

Prepare now for when quantum computers break biometric encryption: Trust Stamp

Digital identity and trust provider Trust Stamp has released a white paper explaining the threat of quantum computing to biometric systems and making recommendations to minimize the risks.

Quantum computers will open opportunities to solve problems in biometrics, drug synthesis, financial modeling, and weather forecasting, among other areas, according to Trust Stamp. But they will also be able to decrypt most of the encryption systems used to secure the internet and protect data today.

While experts expect quantum computers will not be able to scale to defeat such systems for at least another ten years, the white paper claims, entities should address “harvest now, decrypt later” (HNDL) attacks proactively.

Through an HNDL approach, an attacker could capture encrypted data pending the availability of quantum computing-enabled decryption. It is worth noting that this cyber threat would be heavily resource-intensive to perform. Such an attack would most likely only be feasible by a nation-state and would target information that would remain extremely valuable for decades in the future.

Still, HDNL is an especially concerning threat for biometric PII, due to its relative permanence.

Certain data encryption methods are particularly vulnerable. Asymmetric, or public-key cryptography, uses a public and private key to encrypt and decrypt information. One of the keys can be stored in the public domain, which enables connections between “strangers” to be established quickly.

Because the keys are mathematically related, it is possible to calculate a private key from a public key. While conventional computers are not able to perform these calculations, quantum computers can solve problems such as factoring integers through Shor’s algorithm, rendering all public key cryptography (PKC) systems insecure.

Passkeys, digital signatures, and digital certificates could potentially be decrypted after quantum computing scales, posing a risk to biometric systems that use them for verification.

Symmetric or secret key encryptions and hash functions will generally maintain their security, the white paper says. Symmetric encryptions use one key to encrypt and decrypt information and are often used between two parties with a well-established relationship, such as mobile communications and banking links.

Hash functions produce unique outputs from any given input. Changing the input at all will result in a completely different hash value. Hash functions are also irreversible. Hashes are often used to verify that data has not been altered or to check digital credentials. Wicket‘s biometric ticketing system, for instance, stores and compares hash functions taken from biometrics to authenticate attendees instead of the raw data itself. Other biometrics providers working with hashing include Keyless and ZeroBiometrics.

Specifically, AES symmetric encryption with larger keys and SHA-2 and SHA-3 hash functions with larger hashes will “generally remain secure,” the white paper reads.

Quantum-resistant algorithms will avoid vulnerabilities like using a key size that is too small or an algorithm that can be represented by a finite group.

NIST has been running a competition to evaluate and standardize new quantum-resistant public-key algorithms. Google has also proposed a quantum-resilient algorithm of its own.

The U.S. government has also already taken steps to mitigate HNDL risks. In May 2022, the national government issued a mandate to all federal agencies with sensitive data to deploy symmetric encryption systems to protect quantum vulnerable systems by deploying symmetric encryption systems by the end of 2023.

Trust Stamp suggests that biometrics can be protected from quantum computing decryption by converting biometric templates to a token that can be canceled and updated. Raw biometric features should not be stored.

Smart Engines adds hologram analysis to ID document validation portfolio

Smart Engines has upgraded its AI document analysis to enable the verification of holograms for forged document detection.

Holograms and other optical variable devices change their appearance based on variables like viewing angle or lighting. As such, their genuine presence cannot be confirmed through a single photograph, the company notes in its announcement.

Smart Engines says its software can extract data from ID cards and passports and verify their authenticity in seconds, and that is one of the few offerings on the market that can perform document verification in real-time video streams.

The technology behind the proprietary document analysis method was patented with the USPTO in 2019. It involves creating and comparing histograms of color characteristics. The company’s innovation in document analysis has continued with recent patents for partially restoring obscured or occluded images and faster text recognition.

The system verifies ID documents from all countries participating in the Financial Action Task Force (FATF), according to the announcement, including Switzerland, Australia, Japan, Canada, China, Austria, Belgium, France, UK, Germany, India, Italy, Japan, Netherlands and Saudi Arabia.

Scientists from Smart Engines presented the first public dataset of identity documents with holographic security features at the ICDAR-2023 scientific conference last August.