Introduction

Biometrs procedures represent a promising approach to automatically recognising and authenticating people that is increasingly being used alongside conventional methods such as PINs, passwords, cards and other tokens. The objective of biometric recognition is always to establish the identity of a person (identification) or to confirm or disprove their claimed identity (verification).

Biometric recognition can be carried out using different modalities. These can involve fingerprints or faces, for example. Because they perform so well AI models are increasingly providing core functions in biometric recognition. Specifically, they are used to compare newly captured biometric data against previously stored reference data. AI then takes decisions about whether the reference data and newly captured information belong to the same person. Here, methods such as neural networks based on machine-learning (ML) algorithms are frequently used

Nevertheless, the use of AI models is associated with a number of risks. In particular, they can be attacked using AI-specific techniques. By the same token, AI processes can also be used for attacks in the context of biometrics – for example, to generate deep fakes. The BSI has described the various relationships between AI and biometrics in the overview article 'The Interplay of AI and Biometrics: Challenges and Opportunities".

AI in biometrics: Lifecycle

The figure shows a condensed version of the lifecycle of a biometric procedure using the example of facial biometrics. Using training data (Fig., left), a development team trains the AI model to assign different images of a given face to the same person and to distinguish between images of faces of different people. The training data comprises facial images that are labelled with the identity of the corresponding person. The quality and quantity of the training data have a significant influence on the subsequent performance of the model. In this context, inclusion of all the facial features anticipated in active operation, especially with regard to age, gender and origin, plays a fundamental role. If the AI model is applied to groups of people who were not sufficiently represented in the training data (bias), it will perform worse – perhaps significantly so – for these groups.

After the training phase, the AI model is put into active use. In active operations, users must first be registered in the system (enrolment) using reference data (Fig., right) before the AI model can be used for biometric recognition of this group. The system compares facial images taken via a sensor against the existing reference data (1:N identification). As output, it produces the identity of the person depicted in the images (Fig., right). Depending on the application purpose, 1:1 verification of a live recording can be carried out with the data of a specific identification document as an alternative to 1:N identification.

AI-specific attacks

There are opportunities for AI-specific attacks both in the initial training phase and during operation. Since these attacks are not specific to biometric recognition, they can also affect AI models that are used for other purposes. The BSI has compiled an overview and basic statements on AI-specific attacks and countermeasures in the document 'Sicherer, robuster und nachvollziehbarer Einsatz von Künstliche Intelligenz KI' [Secure, Robust and Traceable Use of AI].

Poisoning attacks manipulate the data used to train an AI model in order to generate a reaction to (specific) input that was not intended by the model's development team. In the special case of a backdoor attack, the training data is manipulated so that the AI model will produce the output desired by the attacker if the input contains a special pattern (trigger) known only to the attacker (Fig., top left and centre).

In adversarial attacks, attackers induce an AI model to produce output not intended by the developers by manipulating the input data during active operation. In the case of targeted attacks, they explicitly determine a model's output. Untargeted attacks, on the other hand, merely cause unintended output to be produced. Whether it is targeted or not, this attack method does not change the model itself. Even minor changes to the input data can have significant effects. Such changes are difficult to detect and are not immediately recognisable even to humans – or are interpreted as irrelevant. In the context of facial recognition, an adversarial attack could involve wearing glasses with specially printed frames or a special cap patch (Fig., top centre).

A double-edged sword: AI as an attack tool

Morphing attacks are not AI-specific, but increasingly rely on making their own use of AI techniques. In morphing, the attacker manipulates stored reference data by merging the facial images of several people together so that the resulting image contains features of all of them. A biometric procedure will then consider the face of any of these individuals as a match for the reference data falsified by morphing (Fig., right).

Deep fakes: methods for manipulating media identities

Methods for manipulating media identities have existed for many years. However, their quality has improved significantly (especially due to improvements in deep neural networks) and there has been a noticeable decrease in the manual effort required for this type of falsification. Due to their use of deep neural networks, such techniques are conventionally referred to as deep fakes (see also Fig. on adversarial attacks).

Through face swapping, for example, it is possible to replace the face of a person in a video with the face of another person while retaining the expressions of the original face (Fig. face swapping process). The conversion is even possible in real time under certain conditions.

As an example of audio manipulation, text-to-speech processes make it possible to generate audio data with the voice of a target person based on an arbitrary text (Fig. text-to-speech process).

With the help of this procedure, even a non-expert with moderate technical skills can manipulate medial identities for the purposes of bypassing remote identification systems, perpetrating defamation or fraud (especially CEO fraud) or simply creating ‘fake news’.

At present, these methods still produce clear artefacts that can be perceived as unnatural by humans. In the context of face swapping, for example, strong head movements often indicate that a recording is not original, or a monotone voice on the audio channel indicates that it does not belong to a real person. Furthermore, work is continuing on procedures that automatically detect such fakes.

In this example video both face swapping and text-to-speech are used to replace the face and voice of a person with those of BSI President Arne Schönbohm (external link: Deep Fake of BSI President Arne Schönbohm). It also demonstrates the possibility of using the face swapping procedure in real time.

Countermeasures

As things currently stand, no effective defence is available against attackers who adapt their methods to countermeasures. Countermeasures can, however, increase the effort required for successful attacks.

Methods for detecting manipulations of training data can defend against poisoning attacks. Some use cryptographic procedures to ensure the integrity of the training data used throughout the supply chain. There are also procedures that leverage forensic analysis or interpretation to specifically detect manipulated data (Fig. Lifecycle of an AI system in facial biometrics, bottom left). Another complementary approach involves using self-generated synthetic face data, which reduces the dependence on external, potentially corrupted data sources. This method can also be useful because the use of external biometric data is, according to the GDPR associated with obstacles due to the particular sensitivity of such information.

In order to prevent adversarial attacks, procedures can be used to detect manipulations of input data (Fig. Lifecycle of an AI system in facial biometrics, right). Training data can also be enriched in the context of adversarial training in order to make an AI model more robust (Fig. Lifecycle of an AI system in facial biometrics, below).

In addition, manipulation detection methods can be used in the context of preventing morphing attacks (Fig. Lifecycle of an AI system in facial biometrics, right).

As AI-specific attacks and countermeasures are the subject of current research, relevant standards, norms or technical guidelines with measures that can guarantee a concrete level of security are not yet available or are still being drawn up. The BSI is actively involved in this process.

BIOLAB project:

Advancing digitalisation in sovereign and commercial applications makes the authentication of users increasingly important. Biometrics is a user-friendly technology that is gaining more and more popularity in this regard.

The increasing use of biometric authentication methods means the requirements being placed on biometric systems in terms of their performance, security and manageability are also growing. This is true of both sovereign applications such as border control and more and more areas of business and society, such as online banking and e-government applications. The BSI faces a particular challenge in evaluating biometric systems appropriately and designing new developments to improve security and reliability.

To this end, the BSI has initiated the BIOLAB project as a framework for enabling not only the evaluation of sovereign and commercial biometric systems, but also applied research and development at the newly built Biometrics Evaluation Centre (BEZ) on the campus of the Bonn-Rhein-Sieg University of Applied Sciences (H-BRS) in St. Augustin

Further information on the BEZ and the BIOLAB project's current activities is available on these project pages:

BEZ overview

Aims and activities of the BIOLAB project at the BEZ