Microsoft-Cognitive Face API - Verify. Is there a way to avoid pictures of pictures?

Question

What I want to do is verify users identity in my mobile app through the smartphone webcam, with a selfie.

So I made a small web app just to test microsft azure cognitive services, using the Face API. I take 2 pictures. I get both pictures faceIds with the Face - Detect, then I compare both faceIds with Face - Verify, if they are the same person the API does respond with a true value and the confidence number, false otherwise.

The thing is, on terms of security, if I take a picture of a picture, let's say I took a selfie, then I take a picture of the selfie in cellphone with the webcam, it does detect a face, and it is my face, then I take a picture of myself with the webcam, so, when I use Face - Verify, it returns true.

So, If I want to use this as an identity verification, this is a huge security risk. I was wondering if there's a way to prevent this.

Answer 1

We wanted to forward a response from an engineer:

The service would not differentiate between a high quality photo or a live image. Therefore, we do not recommend the service as a single form of authentication. However, some customers have tried capturing multiple frames to verify that it is not a still image.

Answer 2

You can ask the user to do some random actions like close left eye or smile, or something like that. And you will get this in the second face detection.

Answer 3

Another hard solution is that you can use text recognition service along with it. eg. generate a random number in app and ask user to include this number front of camera. (maybe user can use a paper or board to show random number on screen). So on server side you will also require to read number from the picture to verify it

Answer 4

There is another Recognition API from Microsoft which can detect objects. I've tested and it can detect if there is a cellphone in the picture. (If you try to access with the picture in cellphone). The problem is if you try to access with the cellphone and you can't see the border of the cellphone.