Passive Authentication With Liveness Detection: What Is It & How Does It Work?

Passive authentication involves verifying a characteristic of a person or thing—an authentication factor—without any explicit activities from the user’s side. Depending on the case, the authentication factor may be a user’s face, iris, voice, etc. In this article, we will focus on the process involving a selfie.  

When it comes to verifying individuals online, it's crucial to confirm that the person on the other end is real. In an authentication flow based on facial recognition, liveness checks are employed to perform this task. The way these checks are done determines whether it’s a passive or active flow. It’s also worth noting the difference between “passive liveness” and “active liveness” checks.

Say a customer wants to sign in to a mobile banking app secured with either active or passive liveness detection technology. 

During active authentication, the user is asked to perform some actions which are generated randomly for the session. They must turn their head right and left, and then adjust their face into the highlighted area on the screen. After a while, the user is verified.

During passive authentication, the user is simply asked to take a selfie. No explicit actions on their part are required. The system delivers the verification result in seconds.

Historically, active authentication technology for liveness detection came first. As the example above shows, active authentication prompts users to perform a series of random actions. Users typically dislike when you make them jump through hoops, but companies had a legitimate reason to incorporate this procedure. At that time, it was challenging for most users to shoot a high-quality selfie that would work for a credible liveness check. 

As mobile cameras have become better, passive authentication for liveness checks has gained wider adoption. Snapping a photo is much faster than repeating randomly generated actions. Being more hassle-free and convenient for users, this identity verification method is also secure and reliable.

It seems counterintuitive that just one shot can be as secure as a whole sequence of actions. However, the computer vision technologies under the hood of passive authentication solutions perform quite well. 

In passive authentication with liveness detection, neural networks are used to check for a user's liveness. To excel in this task, they are trained on a large dataset, including thousands of photo samples depicting people of multiple ages, genders, and nationalities. These samples also have various backgrounds—a plain white wall, a spring landscape, office furniture, etc. 

Each neural network type is aimed at performing a specific task: data detection, classification, segmentation, etc. As a result, after "graduating," the trained neural networks have gained some specialization. 

A variety of neural networks are used in conjunction to perform a liveness check. That means each gets its own particular job done: while one detects whether a male or a female is in a selfie, another estimates the person's age. Therefore, the final verification result is the sum of many checks independently provided by many neural networks.

Detection of fakes and fraudulent tricks in the photo follows the same principle. If the algorithm recognizes electronic device features—frames, glares, moiré noise, or reflections, the system alerts that the selfie is being presented on a screen. Printed photos and deepfakes are detected by the presence of unnatural skin texture. 

However, you need a high-quality user selfie to make all this magic work. Blurry photos hide many essential facial features, such as chin shape. For this reason, the identity verification solution you use to authenticate customers this way must perform image quality assessment. Having an advanced image capture module that determines glares, shadows, head position, and face size, and picks the best available picture, is also helpful. It keeps the selfie retake rate at a minimum.

Improved user experience. Passive authentication is frictionless compared to scenarios where active user participation is required. What’s more, some clients, especially senior customers, may face difficulties with the active flow. Therefore, you may improve customer satisfaction by implementing this technology.

Increased conversion rates. Passive authentication streamlines the verification process, making it more seamless and less intrusive for users. It leads to higher conversion rates during customer onboarding, and further activities in the online service. For instance, users don't have to repeatedly enter their credentials since their selfie is enough to verify a transaction. This can speed up the checkout process and reduce cart abandonment rates in e-commerce.

Accessibility compliance. Passive authentication is also a great way to go when there are seniors and individuals with different kinds of disabilities among your customers. According to the W3C Web Accessibility Initiative (WAI) guidelines, one way to make authentication more accessible is by using facial recognition through a user’s mobile device instead of requiring a login and password. Typically, this means a user can simply glance at their front camera to authenticate themselves.

A facial recognition component is broadly used by different industries, including Banking, Aviation, and Telecoms. 

Passive authentication with liveness detection can be the key technology behind this process. Let’s see which use cases it applies to most:

Passive authentication employing facial recognition can be a part of a smooth onboarding process involving uploading identity documents. For instance, car-sharing services typically include submitting a driver’s selfie as an additional step in their verification flow. 

Identity verification solutions like Regula Document Reader SDK paired with Regula Face SDK then conduct an express check to match the selfie and the photo in the driver’s license and validate the new user. Additionally, a passive liveness detection test is conducted to ensure that both the ID and the selfie are authentic, not spoofed.

Passive authentication is at the core of many employee attendance applications. Typically, they capture user location along with their selfie and current time for foolproof verification of work-from-home staff, part-time helpers, drivers, etc. 

Passive authentication can also be part of an on-site attendance control system. The mechanism is used in attendance kiosks at manufacturing and logistics companies, hospitals, schools, security organizations, and construction sites.

Passive authentication may be helpful in age-verification scenarios when you need to ensure that your age-restricted goods and services aren’t available to minors. This requirement applies to a broad pool of online businesses, including gambling websites, purpose-specific cosmetics merchants, and fireworks shops. 

Many e-commerce websites use the easiest age verification method: tick boxes to ask purchasers to confirm they are over the minimum age. However, regulators consider this among the checks that are unlikely to satisfy customer due diligence. 

Age verification software implemented into the purchase flow seems a more reasonable precaution. Here is where passive authentication comes into play, as it allows for verifying both user age and identity.  

Facial recognition-based authentication has become increasingly prevalent for performing various online tasks. What’s more, the technology has a high adoption rate among customers. The number of global users who utilize a facial recognition module will continue increasing in the following years—from 671 million in 2020 to 1.4 billion by 2025. 

Passive authentication is an excellent choice for a sign-in process that doesn't require users to input passwords or answer security questions. This method can be combined with a single sign-on verification system, allowing your employees or customers to utilize the same form of identification to access all of your company's applications and services.

Introducing IDV automation in your business provides a more frictionless user experience. In addition, it contributes to your system protection by adding more security layers.

Passive biometric authentication may be a part of a multi-factor authentication system (MFA) combined with one-time passwords, SMS codes, and even other biometrics like fingerprints. Since more than one factor is included in this flow, all technologies complement each other, canceling out their limitations when used separately.

When deciding on the type of authentication to add to your verification flow, you should also take into consideration the balance between UX and security. While active authentication seems to be more secure, a passive liveness check is always a more frictionless and convenient option for customers. Specifically, the dilemma is between higher conversions vs. higher security.  

As an experienced developer of identity verification solutions, Regula can offer you well-balanced authentication scenarios that take into account both business and security risks. 

Regula Face SDK helps prevent biometric fraud by detecting different presentation attacks, such as the use of electronic devices, printed photos, or realistic masks instead of a real person. Additionally, the solution delivers an easy way to verify users. 

See the product in action or book a call to talk business.