Yoti MyFace liveness white paper
Learn how Yoti’s liveness solution can help you defeat spoof attacks Liveness is an essential part of any verification or authentication process. It gives you reassurance that you are dealing with a real human. Read our latest white paper on liveness to learn how Yoti’s MyFace liveness solution can help defeat presentation attacks including: Paper image Mask Screen image Video imagery Deep fake video Injection attacks Bot attacks Key takeaways from the report Yoti’s MyFace solution is NIST Level 2 approved with 100% attack detection. Why liveness is important for verification and authentication. The difference between active and passive liveness. Age, gender and skin tone bias minimised. Download the liveness white paper (March 2023)
Yoti MyFace liveness white paper
MyFace has been awarded iBeta NIST Level 2 with 100% attack detection rate Yoti’s passive liveness technology can be used to strengthen age checks, prevent account takeover and protect against identity fraud MyFace white paper outlines performance and bias 2nd March 2023, London, UK – Digital identity company Yoti has announced its proprietary passive liveness technology, MyFace, is now compliant with iBeta ISO PAD Level 2. The technology achieved a 100% attack detection rate. MyFace verifies that a user is a real person, and not a presentation attack such as a printed or digital photo, video or mask – all from a single image. MyFace can strengthen age and identity checks, prevent account takeovers and protect individuals and businesses against the growing risks of identity fraud. Since achieving iBeta Level 1 in February 2022, Yoti has continued to develop its liveness technology. Level 2 involves training and testing against more expensive, specialist attacks such as 3D printers, resin and latex face masks. To achieve Level 2, the liveness technology must detect 99% of attacks. Yoti achieved a 100% detection rate. Level 2 is the maximum level that iBeta and other NIST-accredited labs currently certify against. MyFace is a passive solution and only requires a selfie image to complete the liveness check, creating a smooth, inclusive and accessible user experience. The technology does not recognise any faces and does not save any images. It simply checks that the face in the image belongs to a real, live person. Paco Garcia, CTO at Yoti said, “We’re very proud that our proprietary liveness technology MyFace has achieved iBeta ISO PAD Level 2. It’s a huge achievement for the team and this milestone demonstrates our commitment to delivering very high standards of security solutions.” Robin Tombs, CEO at Yoti said, “It’s hugely exciting that Yoti’s MyFace passive liveness is now compliant with iBeta ISO PAD Level 2. Businesses around the world can use our passive liveness and world leading facial age estimation to keep their customers safe online. Naturally being Yoti, we have tested MyFace™ for bias and the model displays very low bias across age, gender and skin tone. To boost transparency and trust in this technology, we have also released a new liveness white paper.” MyFace works alongside Yoti’s existing suite of identity solutions: Strengthen age checks: Yoti’s facial age estimation technology checks the age of a user, and at the same time, MyFace verifies it is a real, live person. This is all completed from a single selfie, creating one seamless experience. The combination of these technologies could be used to create age-appropriate experiences online, protect children from accessing explicit content, and be used in a retail setting for the sale of age-restricted goods. Prevent account takeovers: MyFace can prevent account takeovers and ensure only genuine customers are accessing their accounts or updating important information, such as their bank details. Protect against identity fraud: MyFace can be used as part of an identity verification process to give a high confidence level that the person completing the check is real. Bot detection: MyFace can prevent bots from gaining access to information, or detect deepfake faces creating fake accounts. MyFace white paper is available here. Notes to editors iBeta Headquartered in Denver, Colorado, iBeta has been providing critical software testing services for the world’s most trusted brands since 1999. Our full range of on-demand QA software testing services encompasses many different software testing types including functionality testing, mobile testing, website testing, acceptance testing, accessibility testing, and overall quality assurance. NIST The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST certification means the product in question meets defined standards. The difference between passive and active liveness: Active liveness requires the user to take a video of themselves performing certain actions, for example, moving toward and away from the camera, or repeating random words. This then uses AI and / or manual review to complete the check. Passive liveness can be achieved from a single selfie. Passive liveness reduces friction for users and at the same time providing as good as or even better security guarantees, thereby reducing drop off and speeding up the journey of verifying genuine users. About Yoti Yoti is a digital identity technology company that makes it safer for people to prove who they are, verifying identities and trusted credentials online and in-person. They now provide verification solutions across the globe, spanning identity verification, age verification, document eSigning, access management, and authentication and leading facial age estimation. Over 13 million people have downloaded the free Yoti Digital ID app across the world. It is available in English, Spanish, French, German, Portuguese and Polish. Yoti is certified to ISO/IEC 27001:2013 for ID Verification Services, ISAE 3000 (SOC 2) Type 2 certified for its technical and organisational security processes. For more information, please visit www.yoti.com
How Yoti can help combat injection attacks
As use of online verification grows, there inevitably follows increasing temptation for bad actors to develop ways to exploit the process. As a provider of verification services we must show businesses, regulators and governments that we have robust anti-spoofing technology, checks and processes. An emerging but rapidly growing threat for verification services are injection attacks. What are injection attacks? Injection attacks are a form of attack on remote verification services. Direct attacks are the most common attempt to spoof systems. Examples of direct attacks are: Paper image 2D and 3D masks Screen image Video imagery Direct attacks are an attempt to spoof a verification system that a person is real, older, or someone else altogether. Our facematch and liveness technologies use layers of anti-spoofing to determine that the person is real (not a picture or mask, for example) and that they are who they say they are. An injection attack is an indirect attack and attempts to bypass liveness detection. It involves injecting an image or video designed to pass authentication, rather than the one captured on the live camera. It is a rapidly emerging threat to digital verification services. Using free software and some limited technical ability, a bad actor is able to overwrite the image or video of the camera with pre-prepared images. How can Yoti help prevent injection attacks? We have developed a patent-pending solution that makes injection attacks considerably more difficult for imposters. It is a new way of adding security at the point an image is being taken for a liveness or facematch check. There are two parts to this. As well as obfuscating the code, Yoti adds a cryptographic signature key. As such, a potential hacker needs to both reverse engineer the obfuscation and infer or guess the cryptographic signature key. Yoti frequently changes the obfuscation and the signature key. This means that if the hacker were to reverse engineer the obfuscated code, by the time they have done so, the signature key will have changed, and vice-versa. There remain ways to spoof this (not that we’d say how) but it significantly adds to the effort, time, skill and cost of spoofing verification checks, moving bad actors on to less secure opportunities. If you’d like to learn more about our NIST approved liveness products, please do get in touch.
NIST Certification explained
Many companies in the identity space talk of NIST certification. What does this mean for you as a user of identity services and what does it mean for your customers? Who is NIST? NIST is the National Institute of Standards and Technology (NIST), a non-regulatory agency of the United States Department of Commerce. NIST’s remit is to create and certify measures, standards and technology to enhance trade and productivity. Formed in 1901, their remit is to provide standards and certification for business. At first this included clocks and thermometers, all kinds of ‘weights and measures’. But over time the agency has grown to include tech, such as election technology and, of interest to us, cybersecurity. What is NIST compliance? Broadly, NIST certification means the product in question meets defined standards. Liveness is an anti-spoofing process that checks to ensure we are dealing with a real person. Not someone who is, for example, wearing a mask or using a photo or image of someone else. We use it across our suite of solutions including identity verification, digital ID and age verification. What does NIST certified liveness mean? NIST provides a framework for testing performance levels of liveness. NIST Level 1 involves testing using things that could be found in a normal home or office. Materials used for testing should not cost more than $30. Masks are excluded. To pass NIST Level 1, you must detect every attack and limit false negatives to less than 15%. NIST Level 2. Involves testing against more specialist attacks, such as latex facemasks or 3D printers. Materials used for testing should not cost more than $300.To pass NIST Level 2, the you must detect 99% of attacks and limit false negatives to less than 15%. Once a liveness service has passed testing, they will be issued with a Presentation Attack Detection (PAD) Confirmation letter that provides results and methodology used and what product was tested. To learn more about our liveness products, please do get in touch.