London-based startup iProov has created technology that allows remote facial verification for everything from logging into an online bank account to crossing a major border. Founded in 2011, the company has already made waves in the global security sector - winning weighty contracts from the likes of the US Department of Homeland Security and major banks such as ING.
“The real heart of face verification is to determine whether the face you see is genuinely present or some sort of physical or digital copy," says founder and CEO of the company, Andrew Bud. "That problem lies at the heart of trust in face-verified identities, and it's a very hard problem.” He claims that that at present, iProov technology employs the only reliable face verification method out there.
In early 2018, the company was the first overseas company to be awarded a contract from the US Department of Homeland Security - no mean feat for a company comprised of just twenty people at the time. The application they developed allows ‘trusted travellers’, such as those registered to the Global Entry programme, to check themselves across land borders without a US Customs and Border Protection (CBP) officer being physically present.
“In the middle of winter, when people come over from Canada to America to do their shopping on snowmobiles, crossing frozen lakes,” says Bud, “if they can check themselves across the US border without a CBP officer having to drive hundreds of miles through the frozen waste to look at their passports, that's a big win.”
But how did a small UK company score such an impressive contract? Bud says it was down to the technology's stellar performance in a series of tests, where iProov didn't allow any spoofs through in 660 attempts.
In late 2018, the company also announced that it was going to partner with the UK Home Office, offering smartphone-based digital identity verification, integrated into an app to support applications for the EU Exit Settlement Scheme.
The company's success is due to iProov’s unique, proprietary software: Flashmark. The only two ways of reliably verifying someone's face without specialist hardware, Bud says, are either with motion - asking a person to move their face - or controlled illumination.
“There are solutions based on motion, but these have two problems," says Bud. "One is that it's been publicly broken since 2016.” By this, Bud is referring to a research paper published by the University of North Carolina in August 2016 titled Virtual You. The research created a synthetic avatar video of people based on pictures publicly available from their Facebook profiles which ‘broke’ every facial verification method that the research group attempted it on.
The second problem with motion enabled facial verification, in Bud’s view, is that it’s becoming increasingly complicated. What began with customers simply being told to blink, now involves asking them to read statements or numbers off a screen. “Our belief is that when you put security measures in place, it's of fundamental importance that they should be super-simple and easy to use, with minimum interaction required.” The beauty of controlled illumination, the method iProov uses, is that it doesn’t require the user to do anything.
iProov’s controlled illumination technique involves shining different coloured light from the smartphone owner’s phone onto their face, with different colours beamed for two and a half seconds each. While this is happening, a live video of the user’s face is streamed back to headquarters, where it's analysed. “The screen illuminates a sequence of colours which is different every single time they authenticate," says Bud. "We're stamping their face with unique cryptographic code.”
This creates a ‘one-time biometric’, that is only valid at the moment it's being streamed. The different sequence of colours used each time means that the same video cannot be played back to fool the verification tech.
“We're able, from the way the light on their face responds to the screen illumination, to tell whether this is a three-dimensional, skin-covered, human face-shaped object. And from the sequence of colours we can tell whether they are genuinely present now, or whether we're looking at some sort of recorded artefact,” explains Bud.
They are the only company in the world currently offering this technology across different platforms, meaning the end user can authenticate on any device (iPhone, Android, PC etc). Apple’s Face ID, for example, employs similar principles, but is strongly tied to only Apple products.
However, Bud is careful to differentiate facial verification (what iProov does) from facial recognition, which is technology that can pick up faces in a crowd for example. “We're doing that one-to-one match at the request of the user, rather than a one-to-many match, at the request of the forces of public order. It's a fundamentally different use and it's actually a fundamentally different technology,” he says.
Beyond verifying that the person is real and present, the second part of the problem is to verify that the person looks like who they are supposed to look like. For this, iProov relies on a second piece of software, called DELFINA.
DELFINA was created following research published by Facebook and Tel Aviv University in 2014, showed how you could use deep convolutional neural networks to achieve face matching in a different way to what had come before. iProov were one of the first companies to translate these findings into a commercial offering. The resulting deep learning DELFINA technology went live in 2016, and has been continually refined. It’s now about 100 times more effective than at launch, says Bud.
DELFINA is very effective at denying spoofs and also boasts a low rate of false rejection. “One of the big problems involved with face matching is not that impersonators get through - it’s that you refuse good people," explains Bud.
Why might someone who is truly who they say they are be rejected? “Some systems can be very upset by differences in the lighting or the pose or what we call the face furniture of a user, compared to how they were when their reference picture was taken,” says Bud. He uses the example of someone authenticating themselves against a passport picture, which may have been taken a long time ago, in different lighting, and at a different angle and distance.
Outside of government security, iProov has also partnered with major Dutch bank ING to implement technology into their mobile banking apps. Among other things, this means a new customer can now open an account within four minutes.
“A crucial part of that is the identity checking and know-your-customer (KYC) features that are so important for modern banks to be able to guarantee to regulators, in order to prevent criminals or terrorists from setting up bank accounts,” says Bud.
And with changes in banking legislation, Bud foresees iProov as having even more widespread application across the industry. “In September of this year, all banks across Europe will have to comply with the strong customer authentication regulations that came in with the latest payment services directive, and this will have to be applied when you do high-risk transactions," he says. This covers use cases such as paying somebody a lot of money, or sending personal details.
iProov has also received interest from wide ranging sectors including the healthcare industry, the access control and the automotive industries. There’s also been interest from enterprise chief information security officers looking to potentially integrate iProov technology into sensitive systems accessed by employees or business partners. Essentially, iProov authentication could be used in place of a PIN or password for any online, remote login.
And the company is not stopping at facial verification, they have patents in many different areas of biometrics and next month will announcing the launch of a new biometric secured by iProov's Flashmark technology.