What I want to do is verify users identity in my mobile app through the smartphone webcam, with a selfie.
So I made a small web app just to test microsft azure cognitive services, using the Face API. I take 2 pictures. I get both pictures faceIds with the Face - Detect, then I compare both faceIds with Face - Verify, if they are the same person the API does respond with a true value and the confidence number, false otherwise.
The thing is, on terms of security, if I take a picture of a picture, let's say I took a selfie, then I take a picture of the selfie in cellphone with the webcam, it does detect a face, and it is my face, then I take a picture of myself with the webcam, so, when I use Face - Verify, it returns true.
So, If I want to use this as an identity verification, this is a huge security risk. I was wondering if there's a way to prevent this.
We wanted to forward a response from an engineer:
The service would not differentiate between a high quality photo or a live image. Therefore, we do not recommend the service as a single form of authentication. However, some customers have tried capturing multiple frames to verify that it is not a still image.