Liveness Detection for KYC: Defending Against Spoofing Attacks

We design and deploy artificial intelligence systems: from prototype to production-ready solutions. Our team combines expertise in machine learning, data engineering and MLOps to make AI work not in the lab, but in real business.
Showing 1 of 1All 1566 services
Liveness Detection for KYC: Defending Against Spoofing Attacks
Complex
from 2 weeks to 3 months
Frequently Asked Questions

AI Development Areas

AI Solution Development Stages

Latest works

  • image_website-b2b-advance_0.webp
    B2B ADVANCE company website development
    1317
  • image_web-applications_feedme_466_0.webp
    Development of a web application for FEEDME
    1226
  • image_websites_belfingroup_462_0.webp
    Website development for BELFINGROUP
    925
  • image_ecommerce_furnoro_435_0.webp
    Development of an online store for the company FURNORO
    1156
  • image_logo-advance_0.webp
    B2B Advance company logo design
    620
  • image_crm_enviok_479_0.webp
    Development of a web application for Enviok
    894

We often see face recognition systems failing to stop photo and video spoofing—anyone with a printed snapshot or screen recording can bypass authentication. In banking apps, KYC systems, and biometric access control, this is a critical vulnerability. By developing face liveness detection (liveness detection), we block such attacks and ensure compliance with regulatory requirements. Our team has 6+ years of experience in biometric security and has delivered over 15 projects for fintech and enterprise. We combine passive and active methods to achieve FAR < 0.01% with FRR around 2%—all without specialized hardware. Get a consultation on integrating liveness detection for your project.

What Spoofing Attacks Do We Counter?

Spoofing attacks fall into four categories. 2D attacks (photo, video on screen) are the most common. 3D attacks (silicone or paper masks) require physical props. Deepfake attacks—real-time synthesized video—are a growing threat. Adversarial attacks involve images crafted to fool the model. Each attack type demands specific detection methods, which we evaluate based on Presentation Attack Detection. Below is a comparison of approaches.

Method 2D attacks 3D attacks Deepfake No special hardware UX
Passive liveness Excellent Good Moderate Yes Excellent
Active liveness Excellent Good Moderate Yes Moderate
Depth-based Excellent Excellent Excellent No Excellent
rPPG Moderate Moderate Good Yes Excellent

Passive liveness offers the best UX, but deepfake requires more complex methods—temporal consistency analysis and rPPG.

How Does Combining Passive and Active Liveness Boost Reliability?

In practice, we use a combination of passive and active detection. The passive model (CDCN++) analyzes texture and artifacts. The active challenge—a random blink—is tracked via MediaPipe. This provides high security without depth sensors. Below is a comparison table of methods by key metrics.

Method FAR (average) FRR (average) Verification time Deepfake protection
Passive only 0.05% 2% 0.5 s Moderate
Active only 0.02% 3% 2 s Moderate
Passive+Active 0.01% 1.8% 2.1 s High
Passive+Active+rPPG 0.005% 1.5% 2.5 s Very high
class LivenessDetector:
    def __init__(self):
        self.passive_model = load_model("cdcn_plus_plus.onnx")
        self.face_mesh = mp.solutions.face_mesh.FaceMesh(
            max_num_faces=1,
            min_detection_confidence=0.7
        )

    def check_liveness(self, frames: list) -> LivenessResult:
        passive_scores = [self.passive_model(f) for f in frames]
        passive_score = np.mean(passive_scores)
        motion_valid = self._verify_challenge_completion(frames)
        combined_score = 0.6 * passive_score + 0.4 * float(motion_valid)
        return LivenessResult(
            is_live=combined_score > 0.75,
            confidence=combined_score,
            passive_score=passive_score
        )

For deepfake protection, we add rPPG—heart rate analysis from subtle skin color variations. The signal from ROIs (forehead, cheeks) is bandpass filtered at 0.7–3.0 Hz. A live person shows a clear peak at heart rate (~1.2 Hz); deepfake shows noise.

Practical Case from Our Experience

Our client was a bank implementing mobile biometric authentication. The first version (without liveness) allowed several spoofing attempts via screen photos within two weeks; some succeeded, causing financial loss. After deploying passive+active detection (CDCN++ + challenge), no successful attack was recorded over eight months. FAR was under 0.01%, FRR at 1.8% after calibration, and average verification time was 2.1 seconds. Licensing cost savings reached up to 40% compared to cloud-based solutions.

Why ISO 30107-3 Compliance Matters

For KYC in fintech, compliance with the Central Bank of Russia and the ISO/IEC 30107-3 standard (Presentation Attack Detection) is essential. iBeta certification is mandatory for enterprise deployments. We help you pass certification and prepare documentation. Investment in liveness detection pays off within 3–6 months through reduced fraud transaction losses.

The iBeta certification process has two levels. Level 1: testing on 2D attacks (photo, video)—takes 6–8 weeks. Level 2: includes 3D masks and deepfakes—up to 12 weeks. Our models achieve ACER below 1% at both levels, meeting standard requirements. According to ISO/IEC 30107-3:2023, Level 1 allows ACER not exceeding 5%.

How We Do It: Step-by-Step Process

  1. Audit of existing biometric system and vulnerability analysis.
  2. Selection and configuration of passive/active methods for your hardware.
  3. Development and API integration (REST/gRPC).
  4. Attack testing (liveness benchmark).
  5. Documentation and user instructions.
  6. Post-deployment support.

Contact us for a consultation—we'll evaluate your project and propose the optimal solution. Order a pilot implementation of passive liveness in 3 weeks and see the effectiveness.

Why Our Development Outperforms Pure Active Methods?

Our combined passive+active liveness, tested on LFW Anti-Spoofing, achieves ACER under 1%—twice as good as pure active at the same FAR. We implement systems in 3–14 weeks, depending on complexity. We guarantee ISO 30107-3 compliance and support at every stage.