CEN/TS 18099 exposes the biometric injection validation gap

At a glance

What this is: This analysis explains why CEN/TS 18099 was created and what it changes for biometric verification: injection attacks must now be proven against independently tested resilience, not inferred from presentation attack results.

Why it matters: It matters because IAM, fraud, and identity teams now need evidence that biometric controls resist automated injection as well as physical spoofing, or they risk treating unverified assurance as validated security.

By the numbers:

• CEN/TS 18099 addresses a gap that became more urgent after injection attacks grew 740% on iOS in 2025.
• iProov’s evaluation ran for 40 days and assessed at least three distinct injection attack methods and fifteen attack instruments.
• The Bona Fide Presentation Classification Error Rate was 1.3%, well below the 15% threshold required by the standard.

👉 Read iProov's analysis of CEN/TS 18099 and deepfake injection resilience

Context

Biometric verification now has to withstand two different failure modes: presentation attacks, where an attacker shows a fake face or replay at the camera, and injection attacks, where malicious data is inserted into the pipeline through software or device-level manipulation. The second category is harder to see and easier to scale, which is why traditional biometric assurance no longer tells the full story for identity programmes.

For IAM, fraud, and digital onboarding teams, the practical question is no longer whether a system can spot spoofing at the edge. It is whether the system can prove resilience when the attack is automated, remote, and designed to stay invisible to normal monitoring. That makes standards-based validation central to procurement, risk acceptance, and assurance reporting.

Key questions

Q: How should organisations evaluate biometric controls for both spoofing and injection risk?

A: They should assess presentation attack detection and injection attack resilience separately, because the controls and test methods are different. A system that resists photos or masks may still fail when malicious data is inserted into the software path. Procurement should require independent evidence for both attack classes before the control is trusted in onboarding or step-up workflows.

Q: Why do biometric systems that pass liveness testing still create risk?

A: Because liveness testing often covers only presentation attacks, not injection attacks that bypass the sensor entirely. If a system can be fed synthetic content through software, emulator, or network manipulation, the user may still appear legitimate while the pipeline has already been compromised. That is why evidence must match the threat path, not just the user interface.

Q: What do security teams get wrong about biometric assurance claims?

A: They often treat a single certification or internal evaluation as proof of broad resilience. In practice, assurance is only meaningful when the team knows which attack class was tested, which standard was used, and whether the result came from an accredited independent lab. Without that context, a strong claim can mask a narrow test scope.

Q: What should procurement teams ask before accepting deepfake resistance claims?

A: They should ask which independent lab tested the control, against which standard, and at what assurance level. They should also confirm whether the test covered injection attacks as well as presentation attacks, because the two failure modes are not interchangeable. If the answer is vague, the control is unverified rather than proven.

Technical breakdown

Injection attacks versus presentation attacks

Presentation attacks try to fool the sensor with something physically present, such as a photo, mask, or replay. Injection attacks skip that layer and target the software path itself, using manipulated traffic, emulators, hooks, or library abuse to replace biometric data before the application evaluates it. That distinction matters because a system can look strong in PAD testing and still have no resilience when the attack is injected upstream. CEN/TS 18099 exists because the old testing model did not account for this software-mediated threat path.

Practical implication: do not treat PAD certification as evidence of injection resilience.

How CEN/TS 18099 evaluates injection resilience

CEN/TS 18099 separates attack delivery from attack payload. The standard evaluates Injection Attack Method, meaning the path used to establish the attack, and Injection Attack Instrument, meaning the synthetic image, video, or face data delivered through that path. This two-stage model reveals whether a control blocks the attack channel itself or only detects malicious content after it arrives. That is a more useful assurance model because it shows where the defence actually operates and where the system still depends on detection downstream.

Practical implication: ask vendors whether they block the delivery path or only detect the content.

Why independent validation now matters for identity assurance

Vendor documentation, architecture diagrams, and non-production spoof programmes do not give comparable evidence. Independent testing against recognised standards is what makes assurance portable across procurement, audit, and security review. For biometric identity, that means looking beyond claimed liveness and asking which lab tested the control, against which specification, and at what level. ISO/IEC 30107 remains relevant for presentation attacks, but it does not answer the injection question, so both forms of evidence are needed in a modern assurance stack.

Practical implication: require published third-party validation before accepting biometric control claims.

Breaches seen in the wild

• Reviewdog GitHub Action supply chain attack — reviewdog/action-setup GitHub Action supply chain attack exposed secrets.
• CI/CD pipeline exploitation case study — full server takeover via exposed .git directory and mismanaged CI/CD pipeline secrets.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Injection attack resilience is now a separate assurance domain, not an extension of presentation attack detection. The standards gap is structural: ISO/IEC 30107 evaluates what reaches the camera, while CEN/TS 18099 evaluates what enters the pipeline. A control can satisfy PAD requirements and still fail against deepfake injection because the threat model changed from spoofing a sensor to subverting the data path. Practitioners should treat these as different assurance questions, not adjacent ones.

Validation based on internal testing or architectural narrative is not comparable evidence. If one system is validated through recognised, independent testing and another relies on vendor-run spoof exercises, the resulting claims do not sit on the same footing. This is a governance problem as much as a technical one, because procurement and risk committees need repeatable proof, not illustrative confidence. The implication is that evidence quality must become a buying criterion.

Validation gap: The assumption that a biometric system proven against presentation attacks is broadly resilient was designed for camera-facing spoofing. That assumption fails when the actor can inject content through software, emulator, or network paths because the test target is no longer the sensor. The implication is that identity assurance must be separated by attack class, not bundled under a single liveness claim.

Independent lab accreditation is becoming part of the control itself. When biometric assurance is used for onboarding, step-up, or fraud reduction, the credibility of the test matters as much as the test outcome. A published result from an accredited lab gives security and compliance teams a common language for control validation, while opaque internal assertions do not. Practitioners should expect assurance evidence to be standards-aligned, not narrative-led.

The market is moving toward proof, not posture. As global standards evolve, vendors that cannot show independent resilience testing will create friction for procurement, audit, and regulatory review. That does not just affect product selection. It changes how identity teams write control requirements, assess residual risk, and justify biometric use in high-assurance workflows.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• 79% of organisations have experienced secrets leaks, and 77% of those incidents resulted in tangible damage, according to Ultimate Guide to NHIs.
• For the governance context behind these failures, see 52 NHI Breaches Analysis for recurring attack patterns and control gaps.

What this signals

Validation gap: biometric programmes will increasingly be judged on whether they can prove resilience to the attack path, not whether they can detect a fake face at the edge. Teams that still rely on PAD-only evidence will struggle to defend assurance decisions in audit, procurement, or model-risk review. The operational shift is toward standards-aligned proof, because narrative-led validation does not age well under scrutiny.

For identity teams, the practical implication is a stronger separation between onboarding assurance and ongoing trust management. With 91.6% of secrets remaining valid five days after notification, NHIMG’s broader research shows how often controls stay live after the organisation thinks the issue is resolved. The same governance pattern appears here: if the evidence model is weak, the residual risk persists longer than the programme assumes.

Biometric assurance should now be written into control language as a verified capability with a named standard, a named lab, and a named attack class. That creates a cleaner path for procurement, exception handling, and future recertification, especially as CEN/TS 18099 and related international standards continue to evolve. Teams that build this evidence chain now will be better positioned when regulators and auditors ask for proof, not posture.

For practitioners

• Require separate evidence for PAD and injection resilience Treat presentation attack detection and injection attack resilience as distinct acceptance criteria in procurement and risk reviews. Ask for independent testing against both ISO/IEC 30107 and CEN/TS 18099 rather than accepting a single liveness claim.
• Demand lab-level proof, not internal test narratives Reject validation packs that rely only on vendor documentation, diagrams, or spoof bounty results in non-production environments. Require the name of the accredited lab, the standard used, and the tested assurance level before approval.
• Map biometric controls to the right threat class Document whether each biometric control is intended to resist presentation attacks, injection attacks, or both, and record that mapping in your control library. This prevents teams from assuming one assurance outcome covers the other.
• Align procurement language to standards-based assurance Write procurement requirements that specify published third-party validation, the exact test standard, and the assurance threshold needed for onboarding or step-up use cases. That makes later audit and exception handling far easier.

Key takeaways

• Biometric systems need separate proof for presentation attacks and injection attacks, because the two threat classes break different parts of the control chain.
• Independent lab validation is now central to assurance, because internal narratives and vendor diagrams do not provide comparable evidence.
• Practitioners should write procurement and governance requirements around standards, lab accreditation, and attack-class coverage rather than generic liveness claims.

Key terms

• Presentation Attack Detection: Presentation Attack Detection is the set of controls used to determine whether a biometric sample is being shown physically to a sensor as a fake. In practice, it tests resistance to photos, masks, video replays, and similar spoofing methods, but it does not automatically prove resilience to software-level injection attacks.
• Injection Attack: An injection attack in biometric systems is an attempt to bypass the sensor and feed manipulated data into the application, library, or network path instead. This is a different threat class from spoofing a camera and it requires separate testing, separate evidence, and separate governance decisions.
• Independent Validation: Independent validation is third-party testing against a recognised standard rather than a vendor's own test narrative. For identity controls, it gives procurement, audit, and security teams comparable evidence that a capability works against the specific threat model it claims to address.
• Assurance Level: An assurance level is the degree of confidence a standard assigns to a tested control under specified conditions. In biometric security, it helps teams distinguish baseline conformance from stronger resilience claims and avoid treating a narrow test result as broad proof of security.

Deepen your knowledge

Biometric assurance, injection attack resilience, and standards-based validation are covered in the NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity proofing or fraud controls, it is worth exploring.

This post draws on content published by iProov: CEN/TS 18099 and the validation gap for deepfake injection attacks. Read the original.