FaceTec Glossary of Terms:
We’ve assembled a comprehensive list of terms that are important for FaceTec, general biometric technology, presentation attack detection testing, and privacy regulations.
[For FaceTec Developer Terms, click here]
100% Software Solution – FaceTec doesn’t need special purpose hardware that most devices don’t require. FaceTec only requires a camera and a supported OS/Browser to run on 10 billion+ smart devices and PCs & laptops with webcams.
3D Depth Detection – FaceTec measures the perspective distortion of the “unZoOmed” and “ZoOmed” video frames during authentication to ensure the User’s face is verified as three-dimensional.
3D FaceMap – The encrypted file that contains relevant biometric data from the User’s authentication session. Each 3D FaceMap contains an entire FaceTec 3D Face Authentication Session’s data. But even if the file were somehow decrypted, it cannot be used to spoof FaceTec. The average size of a FaceTec 3D FaceMap is about 300 KB.
Audit Trail Images – 2D mugshot-style images from the Liveness Check session are provided to the developer for security, auditing, fraud investigation, and transaction validation. Developer Info
Authentication – Concurrent Liveness Detection and 3D Face Matching of the User to their previously collected 3D FaceMap is usually a password replacement for logging into a website, or for step-up during high-risk transactions.
Browser SDK – A lightweight device SDK (~3MB) which uses Web Assembly (WASM) and runs in web browsers to provide a convenient and consistent User experience. Initial liveness checks are performed by this SDK and a 3D FaceMap is created, encrypted, and sent to the server for the remainder of the Liveness Checks and the Face Verification.
Configuration Options – FaceTec’s SDKs can be configured for Authentication for password replacement (Face Matching + Liveness Check), or Liveness Verification-only for onboarding/KYC. Either of these configuration options can be provided via FaceTec’s Testing API or with a Customer Managed Server SDK.
Continuous Learning – FaceTec’s ongoing biometric data collection process that adds more face data to the 3D FaceMap from variations in angle, lighting, facial hair, makeup, glasses, etc., with each successful session, enhancing usability over time.
Cross-Device – FaceTec enables Users to access their account from any supported device without requiring them to re-enroll every time they get a new device, or want to access their account from a different device.
Cross-Platform – FaceTec supports cross-platform authentication, meaning you can enroll on any supported device and then authenticate later on any other supported device. Images captured from smart devices/webcams are converted to encrypted 3D FaceMaps and stored on the server to facilitate the cross-platform functionality.
Depth Detection – The process by which a visual biometric system identifies whether what is evaluating has physical depth, or three-dimensionality, to ensure what it sees in not an Artifact, or 2D representation, of a real person.
Device SDKs – Integrated into smart device apps, these SDKs provide a convenient and consistent native User experience in Android and IOS, and do not require SWIFT. Initial Liveness Checks are performed by this SDK, whereby a 3D FaceMap is created, encrypted, and sent to the server for the remainder of the Liveness Checks and Face Verification.
Enrollment – The first time a User interacts with FaceTec they must add their face data to the system. The enrollment process performs a Liveness Check and captures the biometric data that becomes the foundation for the User’s 3D FaceMap.
Fiat / Legal Identity – Latin for “let it be done”, is an official decree or edict that in Identity refers to government issued identification: the legal name and ID for a person.
Intellectual Property – FaceTec has been awarded numerous US and international patents on the 3D FaceScan/Map Creation process, with over a dozen more patents pending.
Liveness Check – The User’s face is analyzed by FaceTec’s AI, and if the images do not contain a live human the session is rejected as a spoof.
Liveness Detection – 3D Depth Detection and Face Matching do not prove liveness. For example, masks and dolls are 3D but are not alive. FaceTec also utilizes sophisticated proprietary algorithms to detect concurrent human traits such as skin texture, reflections in the eyes, eye focus, pupil dilation, and many more.
Logo & Version – During the session, there is a small, consistent watermark and version number located in the bottom of the oval of the device interface. FaceTec’s algorithms are trained to detect this watermark and it aides in detecting spoof attacks. It creates trust and ensures a consistent User experience on all devices for all customers.
Matching – The 3D FaceMap of the User captured during Authentication is compared to the enrolled FaceMap for that User’s account.
Perspective Distortion (Fish-Eye Effect) – During the ZoOm motion, the camera’s relationship to the User changes and perspective distortion will be observed if the face is 3D. 3D faces bend and warp predictably and FaceTec can determine if the User’s face is changing as expected. Conversely, no significant perspective distortion occurs when the camera is moved closer to 2D objects like photos or videos.
Praetorian Black & White-Box Penetration Testing – The FaceTec code base withstood many weeks of Black/White-Box Penetration hacking. At the conclusion of the test, independent testing organization, Praetorian, assessed that the overall security of FaceTec met industry best practices in accordance with ASVS Level 1.
Server SDK – The FaceTec Server SDK, which is installed on a server within the customer’s environment, performs Liveness Checks and Face Verification/Matching functions, as well as generates Usage Log Files. It is a required component of the FaceTec platform unless you are using the FaceTec Managed REST API.
Session – A User-initiated interaction in which face images are presented to the device’s camera. For each completed session, a 3D FaceMap contains all the data necessary to confirm 3D Depth, detect liveness, and perform Face Verification/Matching.
TrueLiveness® – FaceTec’s registered trademark used to describe its liveness and depth detection capabilities.
Usage Logs – FaceTec usage logs do not contain personally identifiable information (PII), but contain the following information: machine ID, timestamps, signature, type of FaceMap, transaction type, FaceTec Server version, and session result – i.e., success, fail, or error type. Logs allow FaceTec to ensure that the performance and usability are ideal for end Users, enable monitoring for increases in presentation attack, and assist in accounting.
Verification – After a successful 3D Liveness Check, matching the User to either a government issued identity document (driver license, passport, etc.) or directly to the 2D photos stored in a government ID database. See Fiat/Legal Identity Verification.
www.Liveness.com – Wiki-style site covering history, 3rd-party tests, spoof bounties, Vendors & Methods. Learn which Liveness AI Biometrics are the highest-rated and the most secure.
ZoOm® – A directive that tells Users to “move closer” to the camera.
Biometrics Industry & Testing Terms:
1:1 Matching – Comparing the biometric data from a subject User to the biometric data stored for the expected User. If the biometric data does not match above the chosen FAR level, the result is a failed match.
1:N Search – Comparing the biometric data from one user to the biometric data from all the other enrolled users. Face matches of users with multiple accounts are displayed. This can also be used to flag users attempting to open multiple accounts. FaceTec’s 3D Matching accuracy makes the AI exceptionally good at 1:N Search.
Artifact (Artefact) – Inanimate, non-human objects that attempt to reproduce human biometric traits.
Authentication – Concurrent Liveness Detection and 3D Face Matching of the User to their previously collected 3D FaceMap. Usually a password replacement for logging into a website or for step-up during high-risk transactions.
Bad Actor – A criminal with intentions to commit fraud.
Biometric – The measurement and comparison of data representing the unique physical traits of an individual for the purposes of identifying that individual based on those unique traits.
Centralized Biometric – Biometric data collected on any supported device, encrypted, and sent to a server for enrollment and later authentication for that device or any other supported device. When the User’s original biometric data is stored on a secure 3rd-party server, that data can continue to be used as the source of trust and their identity can be established and verified at any time. Any supported device can be used to collect and send biometric data to the server for comparison, enabling Users to access their accounts from all of their own devices, as well as new devices, etc., just like with passwords. Liveness Detection is the most critical component of a centralized biometric system, and because robust Liveness did not exist before FaceTec, centralized biometrics are only beginning to be widely deployed.
Certification – The testing of a system to verify its ability to meet or exceed a specified performance standard. Testing organizations Like iBeta and NIST can issue certifications.
Complicit User Fraud – When a User pretended to have fraud perpetrated against them, but had been involved in a scheme to defraud by stealing an asset owned or managed by an institution and tried to get it replaced.
Cooperative User – When a testing organization uses the 30107-3 ISO standard, the Users who test the authenticator must provide any and all biometric data that the testers request. This is to prevent Complicit User Fraud and Phishing.
Credential Sharing – When two or more individuals share their credentials secret and can access each others’ accounts. This can be done to subvert licensing fees or to trick an employer into paying for time not worked (a.k.a., “buddy punching”).
Decentralized Biometric – When biometric data is captured and stored on a single device and the data never leaves the device. Fingerprint readers in smartphones and Apple’s Face ID are examples of decentralized biometrics. They only unlock one specific device, require re-enrollment for any new device, and, as a result, do not prove the identity of the User. Decentralized biometric systems can be defeated easily if a Bad Actor knows the unlock PIN number on the phone, and can overwrite the User’s biometric data.
End User – An individual human who is using an application.
Enrollment – When biometric data is collected for the first time, encrypted, and sent to the server. Note: Liveness must be verified and a 1:N check should be performed against all the other enrollments to check for duplicates.
Expected User –The originally enrolled, legitimate User.
Face Authentication – Authentication has three parts: Liveness Detection, 3D Depth Detection, and identity verification. All must be done concurrently on the same face frames.
Face Matching – Newly captured images/biometric data of a person are compared to the enrolled (previously saved) biometric data of the Expected User determining if they are the same.
Face Recognition – Images/biometric data of a person are compared against a large list of known individuals to determine if they are the same person.
Face Verification – Matching the biometric data of the Subject User to the biometric data of the Expected User.
FAR (False Acceptance Rate) – The probability that the system will accept an imposter’s biometric data as the correct, Expected User’s data and incorrectly provide access to the imposter.
FIDO – Stands for Fast IDentity Online: A standards organization that provides guidance to organization that choose to use Decentralized Biometric Systems (https://fidoalliance.org/).
FRR (False Rejection Rate) – Related to FNMR (False Non-Match Rate), and FMR (False Match Rate), the probability that a system will reject the correct User when that User’s biometric data is presented to the sensor. This metric is used to measure sensitivity. If the FRR is high, Users will get frustrated with the system because they are prevented from accessing their own accounts.
iBeta – A NIST-certified testing lab in Denver Colorado. Third-party testing from a sanctioned body has been considered a baseline for biometric performance testing. Because of the inherently complex process of becoming a accredited lab, and the increasingly fast pace of increases in sophistication and speed in cybercrime, labs have not been able to keep pace with the rigors of real-world biometric security, compromising testing consistency and results.
Imposter – A living person with traits so similar to a Subject User that an identity verification system determines the biometric data is acquired from the Imposter is from the legitimate, Expected User.
ISO 30107-3 – The International Organization for Standardization’s testing guidance for evaluation of Anti-Spoofing technology (www.iso.org/standard/67381.html).
Liveness Detection – The ability for biometric systems to determine if the data it has collected was from a live human or an inanimate or non-living object, like an Artifact in a Spoof attempt.
NIST (National Institute of Standards and Technology) – The U.S. government agency that provides measurement science, standards, and technology to advance economic advantage in business and government.
Phishing – When a User is tricked into giving a Bad Actor their passwords, PII, credentials, or biometric data. Example: A User gets a phone call or email from a fake customer service agent requesting the User’s password to a specific website.
PII – Personally Identifiable Information is data that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context (en.wikipedia.org/wiki/Personally_identifiable_information).
Presentation Attack Detection (PAD) – A framework for detecting presentation attack events. Related to Liveness Detection and Anti-Spoofing.
Root Identity Provider – An organization that stores vast amounts of biometric data appended to the corresponding individual’s personal information (PII), and allows other organizations to verify the identities of Subject Users by providing biometric data to the Root Identity Provider for comparison.
Spoof – When a non-living object (Artifact) that exhibits some biometric traits is presented to a camera or biometric sensor. Photos, masks, or dolls are examples of Artifacts used in spoofs.
Subject User – The individual who is presenting their biometric data to a biometric sensor at that moment.
Regulatory Terms:
CCPA (CA) – California Consumer Privacy Act (caprivacy.org).
GDPR – General Data Protection Regulation is a strict data privacy regulation for EU Citizens (eugdpr.org).
POPI – Protection of Personal Information requires South African institutions to conduct themselves in a responsible manner when collecting, processing, storing and sharing another entity’s personal information by holding them accountable should they abuse or compromise personal information in any way (www.gov.za/documents/protection-personal-information-act).
PSD2 – The Payment Security Directive which is part of the EU’s Open Banking initiative that came into effect in January 2018.
PSD2 requires standardized sharing of secured data between customer authorized organizations and, ultimately, with all the EU’s largest banks. PSD2 required data sharing be secured by “strong customer authentication” (SCA), with all payment service providers compliant by 14th September 2019.
SCA dictates that organizations must require their customers to provide at least two-of-the-three following authentication factors:
- Something only a customer knows (“Knowledge”): a mutually shared secret, like a password or security question answer
- Something only a customer has (“Possession”): e.g., a mobile phone or personal hardware token
- Something only a customer “is” (“Inherence”): e.g., a server-side face, voice or fingerprint match