FaceTec: Glossary of Terms:
We’ve assembled a comprehensive list of terms that are important for ZoOm, general biometric technology, presentation attack detection testing and privacy regulations.
For ZoOm Developer Terms Click Here
100% Software Solution – ZoOm doesn’t need special purpose hardware that most devices don’t have. ZoOm only requires a camera and a supported OS/Browser and runs on the 10 billion-plus Smart Devices and PCs and laptops with webcams.
3D Depth Detection – ZoOm measures the perspective distortion of the unZoOmed and ZoOmed video frames during authentication to ensure the User’s face is verified as three-dimensional.
Audit Trail Images – A 2D UnZoOmed image from the ZoOm session are provided to the developer for security, auditing, fraud investigation and transaction validation.
Authentication – Concurrent liveness detection, 3D depth detection and face verification/matching of the User.
Continuous Learning – Also called Adaptive Learning, it is ZoOm’s ongoing data collection process that adds additional data to the 3D FaceMap from variations in angle, lighting, facial hair, makeup glasses, etc. with each successful session, enhancing usability over time.
Cross-Device – ZoOm enables Users to access their account from any supported device without requiring them to re-enroll every time they get a new device, or want to access their account from a different device.
Cross-Platform – ZoOm supports cross-platform authentication, meaning you can enroll on any supported device and then authenticate later on any other supported device. Images captured from smart devices/webcams are converted to encrypted 3D FaceMaps and stored on the server to facilitate the cross-platform functionality.
Enrollment – The first time a User interacts with ZoOm they must add their face data to the system. The enrollment process performs a Liveness Check and captures the biometric data that becomes the foundation for the User’s 3D FaceMap.
Liveness Check – The User’s face is analyzed by ZoOm’s AI, and if the images do not contain a live human, the session is rejected as a spoof.
Liveness Detection – 3D Depth Detection and Face Matching do not prove liveness. For example, masks and dolls are 3D but are not alive, so ZoOm also utilizes sophisticated proprietary algorithms to detect concurrent human traits such as skin texture, reflections in the eyes, eye focus, pupil dilation and many more.
Matching – The 3D FaceMap of the User captured during authentication is compared to the enrolled FaceMap for that User’s account.
Perspective Distortion (Fish-Eye Effect) – During the ZoOm motion, the camera’s relationship to the User changes and perspective distortion will be observed if the face is 3D. 3D faces bend and warp predictably, and ZoOm can determine if the User’s face is changing as expected. Conversely, no significant perspective distortion occurs when the camera is moved closer to 2D objects like photos or videos.
Praetorian Black & White-Box Penetration Testing – ZoOm code base withstood many weeks of Black/White-Box Penetration Hacking. At the conclusion of the test, Praetorian assessed that the overall security of FaceTec’s ZoOm met industry best practices, in accordance with ASVS Level 1.
Session – A User-initiated ZoOm interaction in which face images are presented to the device’s camera. For each completed session, a 3D FaceMap contains all the data necessary to confirm 3D Depth, detect liveness and perform Face Verification/Matching.
TrueLiveness® – FaceTec’s registered trademark used to describe ZoOm’s liveness and depth detection capabilities.
Usage Logs – ZoOm usage logs do not contain personally identifiable information (PII), but contain the following information: machine ID, timestamps, signature, type of FaceMap, transaction type, ZoOm Server version, and session result – i.e. success, fail or error type. Logs allow FaceTec to ensure that ZoOm performance and usability are ideal for the end Users, enable monitoring for increases in presentation attack and assist in accounting.
ZoOm® – 3D Face Authentication software added to customer apps or web pages to provide centralized biometric access management.
ZoOm 3D FaceMap – The encrypted file that contains relevant biometric data from the User’s ZoOm session. Each 3D FaceMap contains an entire ZoOm Session worth of data, but even if the file were somehow decrypted it cannot be used to spoof ZoOm. The average size of a ZoOm 3D FaceMap is about 300 KB.
ZoOm Browser SDK – A lightweight device SDK (~3MB) which uses Web Assembly (WASM) and runs in web browsers to provide a convenient and consistent User experience. Initial liveness checks are performed by this SDK, and a 3D FaceMap is created, encrypted and sent to the server for the remainder of the Liveness Checks and the Face Verification.
ZoOm Configuration Options – ZoOm can be configured for Authentication for password replacement (Face Matching + Liveness Check), or Liveness Verification-only for onboarding/KYC. Further, either of these configuration options can be provided via FaceTec’s Managed API or with a Customer Managed ZoOm Server SDK.
ZoOm Device SDKs – Integrated into smart device apps, these SDKs provide a convenient and consistent native User experience in Android and IOS, and do not require SWIFT. Initial liveness checks are performed by this SDK, a 3D FaceMap is created, encrypted and sent to the server for the remainder of the Liveness Checks and Face Verification.
ZoOm Logo & Version – During the session there is a small, consistent presence of the ZoOm logo and version number located in the bottom of the ZoOm oval. ZoOm algorithms are trained to detect this watermark which helps us detect spoof attacks. It creates trust and ensures a consistent User experience on all devices for all customers.
Intellectual Property – ZoOm has been awarded numerous US and international patents on the ZoOm process, with over a dozen more patents pending.
ZoOm Server SDK – The ZoOm Server SDK, which is Installed on a server within the customer’s environment, performs Liveness Checks and Face Verification/Matching functions as well as generates Usage Log Files. It is a required component of the ZoOm platform, unless you are using the FaceTec Managed REST API.
ZoOm Session Data – Proprietary data objects generated by the ZoOm Web library. All endpoints that accept FaceMaps also accept ZoOmSessionData, and will attempt to convert ZoOmSessionData objects to 3D FaceMap objects before processing.
Biometrics Industry & Testing Terms:
1:1 – Comparing the biometric data from a subject User to the biometric data stored for the expected User. If the biometric data does not match above the chosen FAR level, the result is a failed match.
1:N – Comparing the biometric data from one individual to the biometric data from a list of known individuals, the faces of the people on the list that look similar are returned. This is used for facial recognition surveillance, but can also be used to flag duplicate enrollments.
Artefact (Artifact) – Inanimate objects that are reproductions of human biometric traits.
Authentication – Concurrent Liveness detection, 3D depth detection and biometric data verification (i.e. face sharing) of the User.
Bad Actor – A criminal, a person with intentions to commit fraud.
Biometric – The measurement and comparison of data representing the unique physical traits of an individual for the purposes of identifying that individual based on those unique traits.
Certification – The testing of a system to verify its ability to meet or exceed a specified performance standard. Testing organizations Like iBeta and NIST issue certifications.
Cooperative User – When a testing organization uses the 30107-3 ISO standard, the Users who test the authenticator must provide any and all biometric data that the testers request. This prevents complicit User fraud and phishing.
Complicit User Fraud – When a User pretends to have fraud perpetrated against them, but has been involved in a scheme to defraud by stealing an asset and trying to get it replaced by an institution.
Centralized Biometric – Biometric data is collected on any supported device, encrypted and sent to a server for enrollment and later authentication for that device or any other supported device. When the User’s original biometric data is stored on a secure 3rd-party server, that data can continue to be used as the source of trust and their identity can be established and verified at any time. Any supported device can be used to collect and send biometric data to the server for comparison, enabling Users to access their accounts from all of their devices, new devices, etc., just like with passwords. Liveness is the most critical component of a centralized biometric system, and because robust liveness did not exist before ZoOm, centralized biometrics have not yet been widely deployed.
Credential Sharing – When two or more individuals do not keep their credentials secret and can access each others accounts. This can be done to subvert licensing fees or to trick an employer into paying for time not worked (also called “buddy punching”).
Decentralized Biometric – When biometric data is captured and stored on a single device and the data never leaves the device. Fingerprint readers in smartphones and Apple’s Face ID are examples of decentralized biometrics. They only unlock one specific device, require re-enrollment for any new device and likewise do not prove the identity of the User. Decentralized biometric systems can be defeated easily if a bad actor knows the PIN number for the phone, and can overwrite the User’s biometric data.
End User– An individual human who is using an application.
Enrollment – When biometric data is collected for the first time, encrypted and sent to the server. Note: Liveness must be verified and a 1:N check should be performed against all the other enrollments to check for duplicates.
Face Authentication – Authentication has three parts: Liveness Detection, 3D Depth Detection and Identity Verification. All must be done concurrently on the same face frames.
Face Matching – Newly captured images/biometric data of a person are compared to the enrolled (previously saved) biometric data of the expected User, determining if they are the same.
Face Recognition – Images/biometric data of a person are compared against a large list of known individuals to determine if they are the same person.
Face Verification – Matching the biometric data of the Subject User to the biometric data of the Expected User.
FAR (False Acceptance Rate) – The probability that the system will accept an imposter’s biometric data as the correct User’s data and incorrectly provide access to the imposter.
FIDO – Stands for Fast IDentity Online: A standards organization that provides guidance to organization that choose to use Decentralized Biometric Systems – https://fidoalliance.org/
Root Identity Provider – An organization that stores vast amounts of biometric data appended to the corresponding personal information of individuals, and allows other organizations to verify the identities of Subject Users by providing biometric data to the Root Identity Provider for comparison.
FRR/FNMR/FMR – The probability that a system will reject the correct User when that User’s biometric data is presented to the sensor. This metric is used for sensitivity. If the FRR is high, Users will get frustrated with the system because they are prevented from accessing their own accounts.
iBeta – A NIST-certified testing lab in Denver Colorado; the only lab currently certifying biometric systems for anti-spoofing/Liveness Detection to the ISO 30107-3 standard. ibeta.com
NIST – National Institute of Standards and Technology – The U.S. government agency that provides measurement science, standards, and technology to advance economic advantage in business and government. nist.gov
ISO 30107-3 – The International Organization for Standardization’s testing guidance for evaluation of Anti-Spoofing technology. www.iso.org/standard/67381.html
Presentation Attack Detection (PAD) – A framework for detecting presentation attack events. Related to Liveness Detection and Anti-Spoofing.
Liveness Detection – The ability for biometric systems to determine if the data it has collected was from a live human or an inanimate or non-living object, like an Artefact in a Spoof attempt.
Imposter – A living person with traits so similar to the Subject User that the system determines the biometric data is from the same person.
Phishing – When a User is tricked into giving a Bad Actor their passwords, PII, credentials or biometric data. Example: A User gets a phone call from a fake customer service agent and they request the User’s password to a specific website.
Spoof – When a non-living object that exhibits some biometric traits is presented to a camera or biometric sensor. Photos, masks or dolls are examples of Artefacts used in spoofs.
Subject User – The individual that is presenting their biometric data to the biometric sensor at that moment.
PII – Personally Identifiable Information is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. en.wikipedia.org/wiki/Personally_identifiable_information
CCPA (CA) – California Consumer Privacy Act. caprivacy.org
GDPR – General Data Protection Regulation is a strict data privacy regulation for EU Citizens. eugdpr.org
PSD2 – The Payment Security Directive is part of the EU’s Open Banking initiative and came into effect in January 2018. PSD2 requires standardised sharing of secured data between customer authorised organisations and, ultimately, with all the EU’s largest banks.
PSD2 requires data sharing be secured by “strong customer authentication” (SCA), with all payment service providers compliant by 14th September 2019.
SCA dictates that organisations require their customers provide at least two of the three following authentication factors:
- Something only a customer knows (“Knowledge”): a mutually shared secret, like a password or security question answer
- Something only a customer has (“Possession”): e.g., a mobile phone or personal hardware token
- Something only a customer “is” (“Inherence”): e.g., a server-side face, voice or fingerprint match
POPI – Protection of Personal Information requires South African institutions to conduct themselves in a responsible manner when collecting, processing, storing and sharing another entity’s personal information by holding them accountable should they abuse or compromise personal information in any way. www.gov.za/documents/protection-personal-information-act