If you’ve ever had the inclination to break into top-secret laboratories, now would be the time to do it.
Dr. D.J. Lee is about to make breaching security a lot harder.
He and PhD student Zheng Sun conceptualized a way to increase security for restricted resources: an algorithm that analyzes facial identity and actions in a concurrent two-factor verification process. They created it in response to a need for heightened security and are currently going through testing.
A stranger overhearing Lee talk about the inspiration behind his and Sun’s invention might mistake the professor for a criminal mastermind - or at least an avid consumer of espionage films. He has learned the weaknesses that cripple most of the security measures currently in use.
“I read some joke,” he said. “You’re sleeping, and someone could still unlock your phone by using your finger when you’re sleeping. There was another about a wife unlocking her husband’s phone while he was sleeping to see what secrets he was keeping.”
And that’s just one example. Passcodes, Lee said, could be lost or phished. ID and key cards could end up in the wrong hands. Biometrics, such as fingerprints, present their own slew of challenges. Crooks have figured out how to replicate fingerprints onto stickers or rubber gloves and how to replicate faces with three-dimensional fabricated rubber models - Lee saw it happen in Mission Impossible. Scanning retinas eliminates risks of rubber replication, but it requires complicated equipment.
The list could go on, but the most bone-chilling issue Lee described was that biometric identity verification methods “could fail easily when the identity verification process is not intended.” In other words, troublemakers could skip right past the molds and models and use somebody’s body to unlock resources without their consent. The victim could be sleeping, unconscious, brainwashed, or dead.
Lee called the missing piece in traditional biometric identification processes “liveness assurance.” The tech that scans fingerprints and faces cannot differentiate a living, alert person from an inert one, but Lee’s new innovation can.
It works by first capturing a facial action of the user - a physiological passcode. After allowing the device to scan their face, the subject will smile, say a password, or contort their face into a grimace capable of frightening the ghastliest of demons from their hideouts - whichever facial action they chose to save in the system. The user’s facial identity and facial action must both match what is stored in the system to pass identity verification.
A verification process like this ensures security because it cannot be replicated by a rubber mask nor by an unconscious subject. It can be as secret as a passcode or PIN, but it cannot be stolen or phished. The process also demands no complicated equipment - a regular webcam or phone camera suffices.
“If I can’t get funding, I would be willing to start a company and work on this on my own because it is so promising,” Lee said. He scoured the internet for similar patents and publications early on in his process and failed to find anything similar.
A small device with this unique algorithm has broad applications ranging from accessing restricted areas and resources, vaults, safe deposit boxes, and ATMs, to boarding public transportation and entering hotel rooms, to using keyless and code-less driver verification for automobiles.
Lee described the biggest challenge as collecting videos for training the algorithm. He needed footage of a wide variety of humans making different facial expressions. He had to work with a collaborator in China to gather enough and consult with the Institutional Review Board to ensure that his use of human subjects was appropriate, but the work paid off. The algorithm can now store and recognize facial identity and actions concurrently, and Lee and Sun are ready to practice live demonstrations.
Though they still have some technical issues to solve, Lee filed a provisional patent for the invention with the BYU transfer office on January 5.