Cybersecurity researchers at the Georgia Institute of Technology have developed a login authentication that could significantly improve the security of biometric techniques that rely on video or images of users’ faces. It is known as Real-Time Captcha and uses a challenge that’s a snap for humans, but next to impossible for attackers using machine learning and image generation software to spoof legitimate users.
Real-Time Captcha requires that users look into their mobile phones’ camera while answering a randomly-selected question that appears within a Captcha on the screens of the devices they are trying to gain access to. The verbal response must be given within a period of time that’s too short to let artificial intelligence or machine learning programs respond. The new Captcha could supplement image and audio-based authentication that can be fooled by attackers able to find and modify images, video, and audio of users, or else steal them from mobile devices.
“The attackers now know what to expect with authentication that asks them to smile or blink, so they can produce a blinking model or smiling face in real time relatively easily,” says Erkam Uzun, graduate research assistant in Georgia Tech’s School of Computer Science. “We make the challenge harder by sending users unpredictable requests and limiting the response time to rule out machine interaction.”
To eliminate traditional passwords for logins, mobile devices and online services are moving to biometric techniques that use a human face, retina, fingerprint, or other biological attribute to verify who is attempting to log in. For example, the iPhone X unlocks by scanning the user’s face and comparing it to one stored in its memory. Other devices use short video segments of a user nodding, blinking, or smiling.
In the cat-and-mouse game of cybersecurity, those biometrics can be spoofed or stolen, which will force companies to find better approaches, says Wenke Lee, a Georgia Tech professor and co-director of the Georgia Tech Institute for Information Security and Privacy.
“If the attacker knows that authentication is based on recognizing a face, they can use an algorithm to synthesize a fake image to impersonate the real user,” Lee says. “But by presenting a randomly-selected challenge embedded in a Captcha image, we can prevent the attacker from knowing what to expect. The security of our approach comes from a challenge that is easy for a human, but difficult for machines.”
In testing done with 30 subjects, the humans responded to the challenges in a second or less. The best machines required between 6 and 10 sec. to decode the question from and respond with a faked video and audio. “This lets us quickly determine if the response is from a machine or a human,” Uzun explains.
The new approach requires that login requests pass four tests: successful recognition of a challenge question from within a Captcha, response within a narrow time window that only humans can meet, and successful matches to both the legitimate user’s pre-recorded image and voice.
“Using face recognition for authentication is probably not strong enough,” says Lee. “We’ve combined that with Captcha, a proven technology. That makes face recognition technology much stronger.”
Captcha technology—the word is an acronym for “completely automated public Turing test to tell computers and humans apart”—is widely used to prevent bots from accessing forms on websites. It works by taking advantage of a human’s ability to quickly recognize patterns in images. Real-Time Captcha goes beyond what’s required on websites by prompting a response that will generates both live video and audio that is matched against a user’s stored security profile.
Captcha challenges might involve recognizing scrambled letters or solving simple math problems. The idea would be to allow humans to respond before machines can even recognize the question.
“Making a still image smile or blink takes machines just a few seconds, but breaking our Captcha changes takes 10 sec. or more,” says Uzun.
The real-time Captcha approach shouldn’t significantly change bandwidth requirements since the Captcha image sent to mobile devices is small and authentication schemes were already transmitting video and audio. Among the challenges going forward is overcoming the difficulty of recognizing speech in a noisy environment and securing the connection between the device camera and authenticating server.