World Congress on Internet Security (WorldCIS-2013)

Identity verification through face recognition,

Android smartphones and NFC
Antonia Rana, Andrea Ciardulli
Joint Research Centre
European Commission
Ispra (VA), Italy
antonia.rana@ec.europa.eu, andrea.ciardulli@ext.jrc.ec.europa
Abstract Smartphones are becoming more and more
widespread and powerful and their use is becoming common in
applications such as transport, healthcare, security, and
surveillance. In this paper we describe the preliminary results of
our experience in using an Android smartphone as a tool which
can be used in emergency situations to validate the identity of
people through the use of two functionalities provided by the
most recent generations of smartphones: NFC and face
recognition.
Keywords-component; face recognition; NFC; smartphone;
android, participatory surveillance, mobile identity verification

I.

INTRODUCTION

With the rapid increase in the processing power, sensors

and supported communication protocols, more and more
advanced and unforeseen uses of smartphones emerge and
become integral part of our everyday life. Areas in which
smartphones are being piloted already since years are
authentication and identification in the context of law
enforcement or border control, transport and mobile payments.
The availability of high quality cameras and fast CPUs open up
the possibility to use these devices efficiently for fast face
recognition and to handle this information securely, while the
availability of Near Field Communication (NFC) allows to use
them with identity tokens. In this short paper we present an
application that we have developed for the automated
verification of persons in the context of a participatory
surveillance application in which smartphones were used to
verify the identity and presence of the expected persons at a
gathering point. The case of emergency evacuation is one
example of a situation in which a quick, secure, reliable
mechanism to identify the people involved and check that the
persons gathered at the meeting point are all those who are
expected is a crucial step. This paper will present the identity
verification component, which uses a smartcard (e.g. an
employee badge) and an NFC enabled Android smartphone
connected to a remote control room.
Smartphones with NFC capability are being considered for
identity verification or even identification in the context of law
enforcement applications combined with the use of identity
documents such as the electronic (biometric) passport [2][3].
Free and commercial applications are available which enable
citizens to read an electronic passport using an NFC enabled

978-1-908320-22/3/$25.002013 IEEE

Android device, although they not to perform any biometric

matching for identity verification.
II.

MOBILE IDENTITY VERIFICATION

A. Use Scenarios
In our participatory surveillance scheme [1], we identified
two possible scenarios in which the identity of a person can be
verified using a smartphone. Both scenarios assume that a
person has been enrolled into a system in which a picture of the
facial image is taken and stored both in a smartcard (used as
identity token), and in a remote database (employee database).

In the first one the picture stored in the smartcard at

enrollment is matched against a picture taken for identity
verification.

In the second one the picture is matched against the

one stored at enrollment in the remote employees database.
The two scenarios have different architectural and privacy
implications. In the first case, no sensitive information is sent
over the network connecting the smartphone to the control
room. The app will just send an OK/NOTOK message. In the
second case, at least the picture and an identifier are
transmitted for biometric processing on the remote server. In
both cases privacy concerns have been taken in account by
encrypting the data both in transit and stored on the smartcard.
Signal processing [3][4] and matching are executed
respectively on the mobile device and on the remote server.
Here we describe the first scenario.
B. Architecture
Our mobile identity verification app runs on Android and
communicates results of the biometric data processing to a
remote control room via WiFi or via UMTS/GPRS. The
components that constitute the architecture of app are shown in
figure 1(b).
III.

STORING AND PROCESSING BIOMETRIC DATA

A. Smartcard and NFC

One of the main ideas in this application was to store
identity information about a person on a cheap smartcard in a
secure way in order to protect the privacy of sensitive
information, such as the facial image and to check identity

162

World Congress on Internet Security (WorldCIS-2013)

using a standard off-the shelf device. It was important to select

a smartcard which had some security features and which did
not require additional modules to be connected to an off-theshelf smartphone. The availability of Near Field
Communication on medium-high end Android devices made
the choice of contactless smartcards an obvious one. NFC is
an efficient technology to pass small amounts of information
between two devices with no complex set-up requirements.
The standard, developed by the NFC-forum, is based on
RFID, the main difference being that while RFID supports
only communication between a passive tag and a powered
device which uses inductive coupling to transmit data, in NFC
both devices can be active. When using a contactless
smartcard, an NFC enabled smartphone works exactly as a
desktop RFID reader, establishing a radio communication
between a smartphone (the reading devices) and unpowered
chips (contactless smartcards or tags) in close proximity (few
centimeters).
The NFC Forum specifications [5] define four types of
tags, which provide different communication speeds and
capabilities in terms of configurability, memory and security.
For our mobile identity verification scenario we chose the
Mifare DESFire 8k V1 [6], which operates in accordance with
the international standard ISO/IEC 14443A as regards air
interface (the same as for electronic passports) and in
accordance with ISO/IEC 7816-4 as regards data command.
This contactless smartcard has 8Kbyte non-volatile memory
and a number or features that fulfilled our security and privacy
requirements (e.g. high speed triple-DES and AES data
encryption, mutual three pass authentication, data encryption
on the RF-channel and data authentication at the application
level).
In our app we implemented a single application using the
native card file system and we used the access control and
authentication features provided by the card at the application
level. These features allowed us to encrypt the files on the
card. An enrollment application was used to capture facial
images in controlled lighting conditions and store them
securely on the smartcard. Different settings were used to
define the optimal conditions to obtain images small enough to
fit into the limited storage space of the smartcard, yet still
providing good matching results. The limitations on the size of
the image were a consequence of the decision to store the
images rather than features in order not to be constrained by
any particular face recognition algorithm.

IV.

CONCLUSIONS

Our initial tests were aimed at identifying the best

conditions to obtain a facial image file small enough yet still
performing well in identity verification on the smartphone.
Tests executed with a limited set of participants were
successful. Our next steps will be to enlarge the test database
and to replace the face recognition SDK with a new set of face
recognition algorithms which promise to provide even better
results on platforms with limited processing power [7]. Taking
advantage of the fact that our application does not require nonfrontal images, which are reported as one of their weak points,
we will explore the performance of Local Binary Pattern in
our application. We expect that this algorithm will improve
our results considering the limited storage space available on
our identity tokens.
REFERENCES
[1]

[2]
[3]
[4]

[5]
[6]
[7]

A. Rana, A. Ciardulli, Identity verification using smartphones In a

participatory surveillance scenario, EUR 25746 EN, ISBN 978-92-7928182-2, ISSN 1831-9424, doi:10.2788/789
E-MOBIDIG, http://www.e-mobidig.eu/ (Access date: 13 September
2013)
A. Rana, A. Alessandroni, Mobile identification, EUR 25037, ISBN
978-92-79-22060-9, ISSN 1831-9424, doi:10.2788/10498
NIST, NIST, Mobile ID Device Best Practice Recommendation, Version
1.0,July 2009,NIST, Special Publication 500 280 (Access date: 13
September 2013)
NFC forum specifications. http://www.nfc-forum.org/specs/ (Access
date: 13 September 2013)
MIFARE DESFire EV1, http://www.mifare.net/en/products/mifaresmartcard-ic-s/mifare-desfire-ev1/ [Access date: 13 September 2013]
Vazquez-Fernandez, E.; Garcia-Pardo, H.; Gonzalez-Jimenez, D.; PerezFreire, L., "Built-in face recognition for smart photo sharing in mobile
devices," Multimedia and Expo (ICME), 2011 IEEE International
Conference on , vol., no., pp.1,4, 11-15 July 2011, doi:
10.1109/ICME.2011.6012057

B. Matching Faces
Biometric match between the facial image stored on the
smartcard and a picture of the person taken for identity
verification is done on the smartcard. To preserve privacy,
images are stored in the internal memory of the phone only for
the time necessary for the matching operations.
We used embedded VeryLook SDK to implement face
recognition.
Figure 1: (a) Local matching scenario, (b) mobile identity verification
application architecture

978-1-908320-22/3/$25.002013 IEEE

163