Liveness detection is the most consistently undersized layer in digital KYC. NFC chip reading plus biometric face matching confirms the document is real and the face on it matches the selfie — but neither stops an attacker from holding someone else's photo up to the camera. Liveness detection (also called Presentation Attack Detection, or PAD) closes this gap by asking a different question: is the face in front of the camera a living human, or is it a photo, video, mask, or deepfake? This article walks through how liveness detection works, the spoofing attacks it defends against, and how NIST PAD certification levels map to risk tiers in EU AMLD and UK MLR 2017 deployments.
Why Liveness Detection Matters
An attacker can defeat naive biometric face matching with:
- Photo spoofing — printing or displaying the target's photo on a screen.
- Video replay — replaying a recorded video of the target.
- 3D masks — silicone or 3D-printed face masks (advanced attack).
- Deepfakes — AI-generated live-rendered faces.
These are collectively called "presentation attacks." Liveness detection — also known as anti-spoofing or PAD — uses ML models to determine whether the face is a live human.
Under the EBA's October 2023 Remote Customer Onboarding Guidelines and equivalent UK FCA expectations, liveness detection is not explicitly mandated but is strongly implied by the "robust" verification standard. Most regulators expect institutions to demonstrate that their KYC flow is resistant to presentation attacks. See our complete digital KYC guide for the broader regulatory context.
Two Approaches: Passive vs Active Liveness
Passive Liveness
Runs invisibly during normal selfie capture — no additional user action required. The ML model analyzes:
- Depth cues — the 3D structure of a real face vs the 2D plane of a screen.
- Texture analysis — micro-texture of real skin vs pixel patterns of screens (moiré).
- Lighting consistency — natural light falloff across facial regions vs uniform screen emission.
- Micro-movements — involuntary blinks, micro-expressions.
- Color space analysis — real skin reflects differently than screen emission across spectral bands.
Advantages: zero user friction, fast. Disadvantages: high-quality attacks (4K screens, professional deepfakes) may defeat passive-only models.
Active Liveness
Challenges the user with a random action: "turn your head right," "blink twice," "read these numbers aloud: 5283." The ML model verifies that the requested action occurred. Advantages: very resistant to replay attacks — an attacker can't pre-record a video matching a randomly-generated challenge. Disadvantages: 10-15% additional user drop-off due to friction.
What Production Systems Use
Most production deployments are hybrid: passive liveness runs by default; active liveness triggers for medium-to-high risk profiles. Hybrid approaches minimize friction while maximizing security.
NIST PAD Certification Levels
The US National Institute of Standards and Technology (NIST), through ISO/IEC 30107-3, defined PAD certification levels evaluated by accredited labs (iBeta, BSI, others).
| Level | Attack Coverage | Typical Deployment |
|---|---|---|
| PAD Level 1 | Basic photo attacks (printed photos, phone screens) | Entry-level or supplementary |
| PAD Level 2 | High-quality video replay, basic masks | Production minimum |
| PAD Level 3 | 3D silicone masks, professional deepfakes | High-risk verticals (crypto, high-value banking) |
For EU and UK digital KYC, PAD Level 2 is the practical minimum. PAD Level 3 is increasingly expected for crypto VASPs under MiCA and for high-value banking. Certification documents (typically from iBeta or BSI) serve as evidence during regulatory inspection.
Technical Components
1. Capture Layer
During the selfie capture, multiple frames are recorded (typically 30-60 fps over 2-3 seconds) — not just a single still. This short video segment supports both passive analysis and active challenge verification.
2. Preprocessing
Face detection, alignment, normalization. Multiple-face detection (an attacker holding another person's photo behind themselves) triggers additional checks. Lighting normalization happens at this stage.
3. PAD Model
For passive liveness, CNN-based architectures (ResNet, EfficientNet variants) are standard. Typical signal extraction:
- Deep texture analysis via convolutional features.
- Spectral analysis (FFT-based).
- Optical flow analysis for inter-frame micro-movement.
Output: a 0-1 liveness score. Production thresholds typically start at 0.8+ for auto-pass; mid-range scores (0.6-0.8) escalate to operator review.
4. Active Challenge Module
Verifies that user actions match the requested challenge:
- Head pose estimation — confirms the head actually turned.
- Blink detection — confirms blinks at the right time.
- Lip sync analysis — confirms spoken digits match mouth movements.
Effectiveness by Attack Type
Anonymized aggregate detection rates from production systems:
| Attack Type | Passive Only | Passive + Active |
|---|---|---|
| Printed photo | 99%+ | 99.9%+ |
| Phone screen photo | 96-98% | 99%+ |
| 4K screen video replay | 88-93% | 97-99% |
| Low-quality deepfake | 85-92% | 95-98% |
| High-quality deepfake | 72-85% | 90-96% |
| 3D silicone mask | 65-80% | 85-92% |
High-quality deepfakes — driven by open-source models becoming cheaper through 2024-2025 — are the fastest-growing threat. PAD Level 3 certified solutions are the only category providing meaningful single-layer protection in this segment.
Common Integration Mistakes
Mistake 1: Passive only across the board. Adequate for low-risk flows but exposes high-risk profiles (PEPs, crypto, high-value) to deepfake attacks. Active liveness should be mandatory for medium-to-high risk.
Mistake 2: Not validating certification. "Vendor says they're PAD Level 2" is insufficient — confirm the certification is current, identify which model variant was tested, and verify the production model matches.
Mistake 3: Not calibrating thresholds. Default thresholds rarely match your customer mix. Track false-acceptance and false-rejection rates on your data and tune accordingly. Too strict loses conversions; too lax lets spoofs through.
Mistake 4: Same active challenge order each time. An attacker who profiles the flow once can pre-record responses. Challenges must be randomized.
Mistake 5: Not logging the liveness score. During regulatory inspection, "what was this customer's liveness score?" is a basic question. Score + model version + threshold + outcome must be logged with the session.
Frequently Asked Questions
Does liveness detection run on-device or in the cloud?
Both options exist. On-device models (TensorFlow Lite, Core ML) offer lower latency but smaller, less accurate models. Cloud models are larger and more accurate but introduce latency and require sending biometric data over the network. Typical architecture: on-device pre-filter (catches obvious spoofs early) combined with a cloud-side main model. High-risk institutions tend to require the cloud-side model as the authoritative decision.
How much does active liveness affect conversion?
Typically 10-15% user drop-off versus passive-only flows. Simple challenges ("turn your head right") cost less; complex challenges ("read these digits aloud") cost more. The practical solution is to trigger active liveness only for medium-to-high risk profiles, leaving low-risk flows on passive-only.
Is liveness detection accessible to users with disabilities?
Passive liveness works for most disabilities. Active liveness can be problematic — visually impaired users can't read digits from a screen, and users with facial paralysis may fail blink challenges. Accessible design requires alternative challenge types (audio-only, motor-only) or operator fallback for users who can't complete standard challenges. EU Accessibility Act and UK equality law both apply.
What happens when liveness detection fails?
Typical flow: first failure shows a retry with a tip ("don't aim the camera into direct light"). Second failure escalates to an operator video session — a human operator can visually confirm the customer or reject. Fully-rejected applicants may trigger STR (suspicious transaction report) review under AML obligations if the failure pattern suggests deliberate spoofing.
What metrics should KYC operators track for liveness?
- False Acceptance Rate (FAR): spoofed sessions that passed — a security gap.
- False Rejection Rate (FRR): genuine users rejected — a conversion loss.
- PAD model version and last update date.
- Detection rate by attack type (printed photo, video replay, mask, deepfake).
- Monthly spoof attempt count — for trend monitoring.
How Legichain helps
Legichain Digital KYC ships with NIST PAD Level 2 certified liveness as standard, with an upgrade path to PAD Level 3 for high-risk verticals (crypto exchanges, high-value banking). Passive liveness plus optional active challenges runs as a hybrid by default; thresholds are calibrated against your customer base's FAR/FRR data. Detailed logging by attack type (printed photo, screen replay, deepfake, mask) is structured for AML inspection. Liveness score, model version, threshold, and decision are written to the audit chain; 10-year retention and hash-chain integrity are platform features. For high-risk flows where automated liveness scoring is inconclusive, Legichain Video KYC escalates directly to an operator queue for visual verification.