Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Taking Measure
Just a Standard Blog
NIST researcher Mei Lee Ngan disguised herself to look like the TV character Ron Swanson and was unable to unlock her phone with this disguise.
I once transformed my face to look like Ron Swanson — for science.
I never thought disguising myself with wigs and makeup would be part of my job, but as a NIST facial recognition researcher, I sometimes get to do just that. To make myself look like the gruff character from the show Parks and Recreation, I applied a lot of makeup, a wig and a fake mustache.
With that look, I could no longer unlock my cellphone with my own face.
This is an example of what we facial recognition researchers call a “presentation attack.” A presentation attack is often used when someone is trying to look like someone else or not to be seen as themselves. A presentation attacker wants to fake someone else’s face or look like anyone but themselves to avoid being picked up by facial recognition technology.
While my Ron Swanson experiment was innocent, people thwarting facial recognition technology can have scary results.
For example, an attacker could copy a person’s identity by using that person’s photo to bypass facial recognition to gain access to the victim’s phone or bank account.
Another tricky facial recognition technology threat is when someone merges two people’s faces into one photo and uses it to commit identity fraud. This is called “morphing,” and it’s easy to do with various online or mobile tools. It creates real security risks if a person gets a passport with a morphed photo, because it allows multiple people to use the same passport.
Facing Threats With Measurement Science
Biometrics are physical characteristics often used to identify us, such as fingerprints, iris and face. NIST has been evaluating the performance of biometric algorithms since the 1960s, starting with fingerprints.
In the facial recognition field, we’ve been evaluating the technology for over 25 years now.
As facial recognition has become more common — from opening your smartphone to identifying yourself at a national border — our work has become even more high-stakes.
NIST’s involvement in facial recognition technology is varied. We evaluate the accuracy of facial recognition algorithms and work to understand how to prevent and respond to attacks on facial recognition technology. We’ve also developed standards on how to collect and exchange biometric data used by law enforcement agencies worldwide.
On an ongoing basis, we test various companies’ facial recognition technology. We report how well these algorithms perform on a wide range of imagery, both absolutely and compared to each other. In addition to accuracy, our tests examine factors like how fast the technology works and how much computing power it requires.
Our work helps companies constantly improve their algorithms, which makes this technology safer and more effective for all who rely on it to keep us safe — whether we realize it or not.
Additionally, we’ve been examining face morphing detection algorithms. Our hope is that one day, these algorithms can help detect face morphing and prevent identity fraud.
I’ve recently worked on testing methods to identify the presentation attacks I mentioned earlier. Our team recently evaluated images with different types of presentation attacks, ranging from wearing an N95 mask to hide part of the face to holding up a photo of another person to the camera. While some algorithms worked well, none of the algorithms we tested could detect all of the presentation attacks in our test. So, there’s still work to be done in this area.
Making Facial Recognition Work for Every Face
We published a report in 2019 about the demographic effects of facial recognition technology. Researchers and others have long expressed concerns about bias in facial recognition. We measured algorithm performance across different demographic groups, including age, race and sex.
Our research showed many algorithms were less effective in some groups of people than others.
It’s important for us to report these results and make the facial recognition community aware of this problem, so they can work toward solutions. We’ve added demographic accuracy metrics to our “leaderboards,” or regular updates on how well companies’ algorithms are performing.
I’ve been a researcher in the field of biometrics for over a decade now, and I worked as a government contractor with various agencies before coming to NIST. I started out as a guest researcher here before transitioning to full-time research.
I love this work because of its impact. This is not abstract research. My work can help thwart hackers or prevent people from getting passports they shouldn’t have.
Our work is often scrutinized by the public because it is high-profile and important to people’s lives. When I struggled with this in the past, I remember my group leader telling me that the attention is because we’re doing important work. No one would care if the research weren’t relevant.
That’s what I love about this job: knowing that NIST is using our capabilities and our platform to help make a difference by keeping people safer and combating bias. That feeling of making a difference is really what drives me to keep doing what I do.
Facing the Future of Biometric Science
This technology is evolving so rapidly that our work to evaluate it is also always changing. One of the newest projects we’re working on is evaluating age estimation technology.
Age estimation is a separate area of research from facial recognition because it involves looking at images of one person and estimating their age, rather than comparing images of multiple people to identify a face.
Recent legislation in some states requires some websites and social media platforms to verify users’ ages, so there has been increasing interest in this technology in recent years. We’ve been working on methods to evaluate these algorithms, just as we do for facial recognition.
As all things biometric continue to evolve with technology, we at NIST will be ready to test and measure their effectiveness.
And if that involves me dressing up as another TV character, I’m happy to do that — if it helps our research.
Protect Your Biometrics
During Cybersecurity Awareness Month, everyone should be aware of protecting their important passwords and biometric information. Changing compromised passwords is easy, but changing your biometric information is not.
If you’re not sure if you trust an app or a website, don’t give it your biometric information. You might want to decline “Face ID” in that scenario.
Additionally, if you can limit the number of images on the internet of yourself (difficult, I know!), it can help cut down on the risk of your biometric information being stolen.
About the author
Related posts
Comments
This is very good information. It is also one of my primary concerns today. I have the Biometric sign on option in my tablet, but I elected not to use for several reasons. Like you mentioned in this article, makeup can change facial recognition. I also found that day to day my face can change from dark to light, narrow to wide face (also swollen), wrinkles to no wrinkles, wide eyes to smaller eyes, etc. I am not kidding, it is crazy. It's like someone actually set themselves within me; mostly while at home. It is good to get out into the public. I say all this to say, I cannot use Biometric's face recognition. When taking a picture of yourself, a selfie, look closely at your picture. You can actually see the morphs shot, doubling over you. Especially if it is man hovering over a female. Again, I totally agree with you reporting.
Very good articles. Now, if someone wanted to use my face to open a bank account online, it would be a lot easier online than in person because you do not have to safeguard IF you are known at the Bank. But, with plastic surgery, other devices to change your appearance at a different bank that does not know you. I believe you could fake an account opening with all the necessary background information on the subject. Now, do we have to have all a secure account mandated to have facial recognition to keep your account safe. Or could we have voice recognition in order to get access to your account (that is being done now). I am talking about personal appearance to get into your account in person, not phone or computer. Would that be too costly, counterproductive (time-consuming) suppose you switch banks would they have to delete your picture, voice, fingerprint ? Or is this just another massive identity project, and what happens if the bank gets hacked like things are done now ?
Many things to consider but heading in the right direction. Just thinking ?