Combatting morphing in ID fraud

Biometric systems are increasingly used as a solid way to authenticate identities, because using human characteristics makes them hard to forge. Yet, in the age of AI, there is rising concern about the use of 'morphing' to create new identities that could potentially outwit facial recognition systems and enable multiple users of a single identity.

An example of this is when a German activist managed to obtain a passport using a digitally altered photo that merged two people, in protest against the government's storage of biometric data. In another case, Slovenian Police reported in 2021 that they had observed more than 40 cases of morphed Slovenian passports sold to Albanians who were hoping to seek refugee status in Canada.

This rising phenomenon, known as 'morphing attacks', is of growing concern to governments and security researchers because of the increasing sophistication of freely available AI tools that are making morphing easier.

Morphing attacks take advantage of the fact that biometric systems are designed to allow a certain level of variation in a person's appearance over time. This is essential for documents like passports, given their validity is often 10 years or more, and without which there would be chaos at every border control.

Morphing attack detection (MAD) systems exist, and these are constantly evolving in an attempt to outpace the sophistication of the morphing technologies. Yet there are many different types of morphing attack techniques, and the ability to detect them can vary depending on the technique used. Another approach is to evaluate the morphing attack's potential (MAP) to fool a biometric system, as well as the system's resistance to them.

To help with this, a new international standard has been developed. ISO/IEC 20059 features methodologies to evaluate the resistance of biometric systems to morphing attacks. It enables users to simulate a real use case, such as a border control scenario. This use case can then consider a number of morphing attack attempts and biometric systems in order to determine the MAP against border control gates that come from different vendors.

The standard also defines metrics for MAD accuracy such as the morphing attack classification error rate and the bona fide sample classification error rate.

While the evaluation of the biometric system's resistance is not a security evaluation in itself, it can help to reinforce its overall security.

ISO/IEC 20059 is just one of over 140 international standards by the IEC and ISO joint committee for biometrics, SC 37, that provides international best practice and guidance on everything from the performance and safety of biometrics to addressing key concerns around cyber security, data privacy and ethical issues.