What We Got Our Hands On:
- ZoOm is a contactless, AI-driven, 100-percent software authentication solution based on 3D face biometrics captured via standard front-facing selfie cameras and webcams.
- ZoOm can be used for digital and physical access applications, promising 10-second enrollment and 2-second authentication times. It can be employed for user onboarding, user authentication, liveness checks, Photo ID verification, and age estimation.
- ZoOm is intended for a wide range of vertical markets, including banking, eCommerce, eVoting, social media accountability, connected transportation, healthcare, insurance, time & attendance, government, and emerging spaces like crypto wallets and smart city ID.
- ZoOm boasts iBeta Certified Liveness Detection to Levels 1 and 2, and is especially proficient in detecting spoofs like hi-res photos, HD video, and 3D artefacts like mannequins, masks, and wax figures.
- It has been trained with users in more than 170 countries across six continents
- ZoOm’s storage of biometric data is compliant with emerging global privacy regulation frameworks.
What We Found:
- ZoOm’s user interface is fast, intuitive and easy to understand.
- ZoOm resisted our complicit smartphone-based spoofing attempts.
- FaceTec’s enrollment and authentication speed claims were accurate and consistent, including in different lighting conditions.
The Next Steps in Authentication
Readers of FindBiometrics know biometric authentication is mainstreaming. Following Apple’s pioneering introduction to biometric security with the iPhone’s Touch ID, the biometrics industry flourished in consumer-facing vertical markets through the mobile channel. With the introduction of Face ID on the iPhone X, face unlock quickly became a mainstream biometric modality, and enthusiasm for contactless mobile authentication is still apparent in smartphone security.
Of course, FindBiometrics readers also know that the biometric features that ship with smartphones are largely technologies of convenience rather than security. Confined to individual mobile devices, many fingerprint and face technologies have proven vulnerable to common spoofing techniques. And, perhaps worse, they can be bypassed with PINs or gesture locks by design, effectively undercutting confidence in identity verification for meaningful digital transactions. That’s why in enterprise we are seeing a need for strong server-side biometrics fortified by unbroken trust chains, further assured with certified liveness detection.
What’s in a Simple Selfie?
In this First Look product review, we are exploring FaceTec’s ZoOm face authentication system, one of the most widely acclaimed consumer-facing biometric security solutions on the market. And it all revolves around the familiar selfie.
While the use of selfie-based authentication has become more commonplace, FaceTec’s solution is remarkable for its three-dimensional face mapping using a standard 2D camera. That’s because in less than two seconds, the “ZoOm” motion allows the AI to analyze up to 90 video frames to create a unique, data-rich 3D FaceMap, the foundation of a user’s digital identity. ZoOm collects as much as 100-times more data than a standard 2D image, producing exceptionally consistent and accurate results during enrollment and authentication processes.
But there’s another reason that ZoOm has attained such a high profile. FaceTec has put its solution through rigorous Presentation Attack Detection (PAD) testing by iBeta, a NIST/NVLAP-accredited testing lab that runs what is considered to be the gold standard in testing and certifying PAD technology in accordance with the ISO 30107 standard.
Living with Biometrics
Presentation attacks – also known as “spoofing” attacks – are designed to mimic an authorized user’s biometric data. For example, a spoofing attack might involve an artifact, like a mask resembling the legitimate account holder being held up to the camera during the authentication process in an attempt to gain unauthorized access. And in most biometric authenticators in use today, these kinds of artifact attacks work a lot more often than they should. That’s why the security industry is placing a much stronger focus on liveness detection solutions (that verify the user is physically present), and not just something that might look like the authorized user.
iBeta’s PAD tests are designed to evaluate the effectiveness of liveness detection systems in countering such attacks, and last year FaceTec became the first company in the world to attain Level 1 Certification in the program, fending off 100-percent of all spoofing attacks in the test. It repeated that feat by reaching Level 2 Certification in early 2019, detecting more sophisticated attacks employing artifacts including life-like latex and silicone masks. Constant improvement continues within the FaceTec labs, and the tech has been embraced by a quickly growing customer base, now with millions of users across dozens of industry verticals.
And FaceTec has continued to expand the features of its solution, having recently announced a new version this past September that includes an Identity Check interface that matches users to their photo IDs, and an automated, anonymous age-check AI to enable online access to age-gated goods and services.
According to the company, they have over 100 integration partners and customers, many of which have been using ZoOm commercially for nearly two years. They expect that number to grow over 300-percent in 2020 with hundreds-of-millions of ZoOm sessions performed.
Given ZoOm’s prominence in biometric authentication, FindBiometrics decided it was time to take Version 8 for a spin.
ZoOm is one of the few biometrics technologies that can be tested free on both web browsers and mobile devices. This multi-channel approach to try-it-yourself test-drives is key to understanding ZoOm’s value.
FaceTec’s solution is 100-percent software and adheres to the enterprise-friendly centralized biometric authentication paradigm. That means when a bank, for example, deploys ZoOm for user authentication, customers can use any device with a standard camera, including their own personal phone, their workstation, their child’s iPad, or any other camera-toting touchpoint. The convenience factor is not hard to understand, as devices are broken, lost and stolen frequently, and even shared devices can be used.
In the big picture, even as users won’t be required to re-enroll on every device for banking, the institutions themselves can also enjoy substantially greater trust by placing confidence in a user’s identity rather than a “recognized” device. With one secure biometric template (a 3D FaceMap) there is no risk of records duplication from an accident or by a fraudster (1:N), and at the same time the system can compare one physically-present, live body to one digital ID (1:1), not multiple, separate, authorized devices to a single digital ID.
Trying ZoOm on both desktop and mobile channels is free, simple, and to FaceTec’s credit, speaks directly to the confidence in the technology.
ZoOm on Mobile
Given how we access our accounts more on mobile, the most logical place to start with a selfie-based biometric technology is on a smartphone. As a contactless modality, face biometrics generally feels natural and convenient regardless of how it’s deployed, but a front-facing camera takes advantage of the selfie habit in the larger socio-cultural landscape. Essentially, taking pictures of our own faces with smart devices has become a normal part of our day.
The simple process on ZoOm for mobile is completely guided. I positioned my face so my image filled a guiding oval on the screen, which then prompted the oval to grow in size, and I was next instructed to move closer to the camera to fill the larger shape. This patented ZoOm motion, which enables the software to create its 3D FaceMap, is the foundation for liveness checks, enrollments, and authentications.
I enrolled wearing my glasses, but could authenticate without them, which is a feature we should expect. What I didn’t expect was how effortlessly ZoOm matched my currently bespectacled face to the picture on my driver’s license, which wasn’t just taken years ago before I wore glasses, but is also difficult to make out thanks to the typical scuffing that comes from keeping it in my wallet.
I authenticated with ZoOm in office and outdoor lighting conditions with no noticeable difference in authentication time, which never took longer than the advertised two seconds. Even in some dynamic scenarios, for example when I turned off a desk lamp mid-ZoOm motion, I experienced zero additional friction.
On mobile, ZoOm is fast, intuitive, and easy to use. And the new document reading feature is simple and accurate, thanks again to the on-screen guides. This latest feature is an especially welcome addition with version 8, expanding the breadth of FaceTec’s applications to include ID verification and remote onboarding, enabling a consistent user experience throughout the entire customer account lifecycle.
ZoOm in the Browser
The web browser version of ZoOm is what you’d expect from a desktop port of a face and document recognition mobile app. The idea of a selfie-based authentication system on desktop seems natural enough, but I was admittedly skeptical of how convenient the ZoOm motion would be. Following the on-screen guide again – which is consistent between platforms, making the transition from mobile to desktop/laptop feel natural – I found leaning in to fill the second oval was actually easier on this platform. In its specs, ZoOm promises a two-second authentication time, but the stationary target had me authenticating in fractions of that, thanks to consistent lighting conditions and the fact that I wasn’t trying to hit a moving target when filling the onscreen ovals with my face image during the ZoOm motion.
The primary difference between mobile and desktop is that the smartphone document capture process utilizes the rear camera, while the desktop scenario required me to hold my ID up to the webcam. Between the two channels the experience was otherwise identical, making the appeal of the aforementioned centralized biometrics paradigm self-evident. A service protected with ZoOm will offer the same customer experience across devices and channels after the initial, single enrollment.
Using ZoOm 8 on Android is so easy I thought I was being tricked, so I purposely tried to engineer false positives on both authentication and document matching by obscuring my driver’s license and disobeying the on-screen instructions during the liveness check. Sure enough, I couldn’t score any false positives through improper use (it should be no surprise that disobeying onscreen prompts leads to rejected authentication attempts), and every time my login attempt was rejected, the app offered tips on what I might have done wrong.
While trying to see how lighting changes affected ZoOm’s ability to positively authenticate, the only environmental conditions that consistently produced a false negative were: complete darkness (lights off in a windowless room), direct light shining into the camera to the point where flares that obscured my face, and rapidly spinning in my office chair. (To be fair on that last one: if you’re trying to open a bank account while twirling around in circles, a false rejection is the least of your worries.)
Of course, part of the fun of trying out biometric authentication technology is trying to spoof it. Given ZoOm’s reputation and certifications, FaceTec is practically begging users to try and fool it. The company even has an active $30,000 bounty for successful presentation attacks. So, with thoughts of a nice, long European vacation floating in my head, I tried to break ZoOm 8— and I failed.
The two primary spoof attempt methods were digital photos and a high definition 10-second video of my face, both displayed on a Google Pixel 3 smartphone. I tried each spoof three times on mobile, then on desktop, failing again and again. I was amused each time ZoOm’s UI offered tips on how to get a positive unlock, almost as if it was so confident in its security it was trying to help me spoof it. In a commercial application, after a few attempts, the user will get locked out for a period of time, which only gets more restrictive with further attempts. This makes a lot of sense in the real world where a fraudster won’t have an unlimited amount of time, creating a practical barrier to a continuous effort.
This exercise turned out to be easier than I had expected it to be. FaceTec’s ZoOm is a versatile, fast, easy-to-use authentication technology. And given our earnest, but admittedly humble, attempts at spoofing, and its testing pedigree and broad commercial use in some very challenging environments, ZoOm appears to be as secure as advertised. According to the company, currently nearly one million new users are added per month and in some demanding use cases, like carsharing where outdoor/indoor light, myriad weather conditions, and extra clothing could easily trip-up a lesser system.
A big part of what makes ZoOm a success is its user interface and strict adherence to its method. Authenticating on ZoOm’s simple terms – follow the instructions on screen, perform the ZoOm motion – the two-second process is enough for convenient trust on any connected device. To see what I mean, try for yourself at FaceTec’s website where you can download fully-functional, current-version demo software for iOS, Android and webcams.