Webinar | Countering Identity Spoofing: Problem of False Acceptance Rate and False Rejection Rate

Main highlights of the Webinar by KYC AML Guide

On 18th December 2023, a highly informative Webinar was conducted by KYC AML Guide that answered many of the questions related to the said issue.

The webinar answers the main question of how to balance the FAR and FRR for the system’s effectiveness and security while emphasizing the issue of the complexity of biometrics that is influenced by user traits, external factors, and biometric reader sensitivity.

Two industrial experts, Jay Meier, Vice President of Facetec Inc., and Paul Grassi, Principal Product Manager of Amazon who also served as a Senior Advisor at NIST and is the Co-Chair at FIDO Alliance contributed their valuable insights. Both of them shared their experience-based knowledge which is an eye-opener in countering Identity Spoofing.
Also read: Guarding Against Identity Spoofing: Strategies and Solutions

Overview of Identity Spoofing, FAR and FRR

As explained in our previous publications, Identity Spoofing is an illicit practice of imitating the identity of a real person and trying to access different services and benefits allocated to that specific identity. It involves different illegal techniques like using AI Deep Fakes, Identity Documents Forgery, etc.

False Acceptance Rate (FAR) and False Rejection Rate (FRR) are the two metrics that measure the accuracy of a KYC Identity Verification Solution.

Paul referred to the FAR and FRR as:

A good actor and bad actor, and that false acceptance is letting the bad actor in when the system shouldn’t, and false rejection is keeping the good actor out when the system shouldn’t.

The Ideal Threshold of FAR and FRR for a KYC Solution

At the beginning of the webinar, the host asked Paul a very important question about the ideal threshold of FAR and FRR that KYC Solutions needs to have. Answering the question, Paul said:

1 out of 10000 False Accepts is the allowance rate to a given system to meet the security requirements. He thinks that NIST is increasing the current threshold to 1 out of 100000 FAR. He added that there is a need to set different thresholds industry-wise for FAR and FRR considering the use case in the industry. But it’s difficult to reach the ground reality in this regard.

How Liveness and Biometric Matching Accuracy are Different?

Answering the question that does such a benchmark for FAR and FRR exists considering liveness, Jay said:

There is an important difference between Liveness and Biometric Matching Accuracy where the current threshold of 1/10000 FAR should be related to FRR where there should be a standard benchmark for Biometric Matching that is 1% false rejects.

Key Takeaways of the Webinar

• Reaching a perfect balance between FAR and FRR is difficult. Liveness Detection is much more sensitive to False Accepts in terms of Active Liveness and Passive Liveness.
• AI (Artificial Intelligence), Deepfake Attacks, and Spoof Attacks have made it difficult to detect Liveness in real-time. With rapidly evolving cyber-criminal attacks, it is difficult to reach the ideal of 0 False Accepts.
• What KYC Solutions can do is to achieve Zero False Accepts for known Spoof Attacks.
• Identity Verification, as outlined by experts, hinges on two critical steps. Firstly, the system must adeptly ascertain the presence of a genuine, living individual before proceeding. If this initial check fails, further verification becomes unnecessary. Once the system establishes the user’s liveness, the subsequent step involves confirming that the person is indeed who they claims to be.
• The responsibility of the Biometric Data breach falls on the shoulders of Identity Solution Providers and the Firms that use these solutions to collect the customer’s data. This is because regulatory laws have started recognizing the importance of protecting the Identities of customers. Huge fines are being imposed and plaintiffs are being compensated now for any kind of identity theft.
• As per the fairness rule, Organizations like banks, FIs, etc should also feel pain and bear some liability rather than just the customers whose identities have been stolen and misused for crimes.
• Identity Verification vendors need improvements in terms of industry standards as current standards do not suffice for the mitigation of spoof attacks or deepfake attacks. Also, these standards should be simplified enough so that they become applicable and easily implemented as currently they are too complicated.
• The technical aspects of Liveness Detection in a KYC IDV Solution are to be considered by the KYC Vendors where measuring Passive Liveness has been observed as far superior to Active Liveness which as Jay quotes is easy to spoof. Passiveness depends on involuntary human cues that are difficult to imitate where as Activeness includes preset instructions given to a human to prove the liveness.
• The main problem with most of the KYC Facial Biometric Solutions is that they rely on 2 dimensionality whereas most devices like smartphones have 2-dimensional cameras. In 3D facial recognition, the interpretation of different angles and movements is much complex and systems are not good enough yet to determine the depth of a 3D image which requires highly effective and quick calculation of distance between a human face and the camera in variable environments.
• Perspective distortions are a major area where most of the KYC Solutions lack in reaching a high level of accuracy. 2-dimensional facial recognition relies on unreliable information and datasets that shouldn’t be used for advanced facial biometrics anymore.
• Another major problem is the existence of Fake Identities where people actually forge identity documents and use them for KYC and then commit financial crimes. The IDV systems still face limitations for example if a person has a stolen driver’s license and uses it alongside his face for face matching in front of a KYC system, but since the data was hacked and used (which is already in the system), there are high chances that this fake ID will be allowed as KYC solutions are not good enough to identify fake identities as of yet.
• Biometrics are no more a secret and everyone should stop treating it like a secret. It is a valid identity metric that should be used wisely, accurately, and safely. Moreover, KYC IDV Solutions should be capable of carrying out liveness and face matching at the same time but they should also consider not retaining the liveness data for security reasons. Hackers can use this liveness data to spoof it and again penetrate the system with much more advanced attacks. So, it is important to develop and implement a stringent data retention policy for biometric data. One way to protect this data is encryption.
• People have the right to know where and why their biometrics are being used by the companies and if it is stored, all this shouldn’t be done without the customer’s consent at all. Survellience is however a different subject where law enforcement requires involuntary biometric data captured through CCTV cameras. But our subject of study is different than that. It is upholding data privacy and security in Identity Verification systems.

Recommendations to KYC Vendors

Most importantly, KYC Solution Providers need to consider Solution Testing as the experts also rightly pointed out the need for independent testing that is not biased can provide clear insights, and has industry-level testing metrics. They can assess the effectiveness of their KYC Solution through our Vendor Analysis, receiving a comprehensive comparison and analytical report to strategically align their goals for scalable success.

Final Outcome

The Webinar concluded on the point that people need to be aware of how their biometric data is being used and they should have a right to refuse to use the biometrics if they want to. Alternatively, KYC Solutions should possess a second authentication mechanism that doesn’t use biometric authentication to still allow them to use the service. Most people still restrain themselves from using biometrics due to many reasons and KYC Solutions must be able to adapt to their specific preferences in customer onboarding. Today, even after biometrics being one of the best ways of identification, the Best practice for KYC Vendors is to provide them with a unique password or a code for authenticating their own identity and it is difficult to fake it. There is a gap between the standards and the current performance of KYC Vendors where it is hard to implement these standards. Risk Tolerance is important in KYC Identity verification where Vendors need to have independent testing and yes now, we have started to see the fog being cleared out and grey areas being covered.