TL;DR: Liveness security is only as credible as the underlying testing standard, with ISO/IEC 30107-3, independent lab validation, and transparent APCER and BPCER metrics used to separate real presentation-attack resistance from marketing claims, according to Oz Forensics. In practice, biometric programmes should treat certification as a control evidence problem, not a feature checklist.
At a glance
What this is: This is an analysis of how ISO/IEC 30107-3, independent lab testing, and error-rate transparency determine whether a liveness solution can withstand spoofing attempts.
Why it matters: This matters because biometric onboarding and authentication sit at the edge of identity assurance, where weak presentation attack detection can undermine KYC, fraud controls, and access decisions across human identity programmes.
By the numbers:
- For a system to pass Level 2, it must maintain a BPCER/FNMR below 15%.
👉 Read Oz Forensics' analysis of ISO/IEC 30107-3 liveness certification
Context
Biometric liveness controls are meant to prove that a real person is present at the point of capture, but that assurance fails if the system cannot distinguish a live subject from a mask, replay, or printed image. In identity programmes, the issue is not only user experience, but whether the authentication signal is trustworthy enough to support onboarding and step-up verification.
For human identity teams, the hard part is separating certified assurance from marketing language. ISO/IEC 30107-3 matters because it gives practitioners a testable benchmark for presentation attack detection, while independent lab validation gives the result credibility beyond the vendor’s own claim.
Key questions
Q: How should security teams evaluate a liveness solution for onboarding?
A: Start with evidence, not feature claims. Ask whether the solution was tested under ISO/IEC 30107-3, whether the lab was independent, and whether the reported APCER and BPCER match the risk profile of your onboarding flow. A solution that looks strong in a demo can still be weak against real spoofing and poor device conditions.
Q: Why do biometric controls need independent validation?
A: Because self-attestation does not prove attack resistance. Independent validation gives identity teams a defensible basis for trusting biometric assurance in regulated onboarding, access, and fraud workflows. Without that proof, the organisation is relying on a vendor assertion rather than a tested control outcome.
Q: When does liveness detection become more than a usability choice?
A: It becomes mandatory whenever biometric proofing affects fraud risk, regulated onboarding, or access decisions where false acceptance has material impact. In those settings, the control is part of identity assurance and governance, not just a smoother user experience.
Q: What should teams do if a certified biometric system still creates too many false rejects?
A: Treat the error rate as a governance issue, not only a product issue. High false rejects can shift work into manual review, delay onboarding, and create inconsistent exceptions. Reassess whether the control is fit for the specific identity journey, device mix, and user population.
Technical breakdown
ISO/IEC 30107-3 and presentation attack detection
ISO/IEC 30107-3 is the common benchmark for presentation attack detection, or PAD, in biometric systems. It is designed to test whether a liveness solution can resist spoofing methods such as masks, video replays, and printed images. The key value is not the label itself, but the repeatable structure it creates for comparing claims against measurable outcomes. When an identity team evaluates a biometric control, the question is whether the solution was tested against realistic attack conditions and whether the reported performance reflects the deployment context, not just a lab narrative.
Practical implication: Require evidence that the test scope matches the way the biometric control will be used in production.
APCER, BPCER, and what error rates really tell you
APCER measures how often an attack is accepted as genuine, while BPCER measures how often a bona fide user is rejected. Those two figures describe different failure modes, and both matter because a strong anti-spoofing posture can still create poor user experience if false rejects are too high. Practitioners should read these metrics together, not as isolated marketing points. A low attack acceptance rate means little if the system creates friction that drives manual review, abandonment, or workarounds in onboarding and authentication flows.
Practical implication: Review APCER and BPCER together before approving a biometric control for customer-facing or high-assurance use.
Independent biometric validation and lab credibility
Independent accreditation changes the evidentiary value of a liveness test. A result from a vendor-controlled process is not the same as one produced by an accredited third-party lab, because the latter reduces the risk of selective reporting and inconsistent methodology. For human identity programmes, that difference matters in regulated environments where proof of control effectiveness is often as important as the control itself. The operational issue is not just whether the technology works, but whether the organisation can defend why it trusted it.
Practical implication: Use accredited third-party validation as a minimum evidence requirement for any biometric assurance decision.
Threat narrative
Attacker objective: The attacker’s objective is to bypass biometric identity proofing and obtain trusted access or fraudulent enrollment under a false identity.
- Entry occurs when an attacker presents a spoofing artifact such as a mask, replayed video, or printed face image to the biometric capture channel.
- Escalation follows if the system incorrectly classifies the presentation as genuine, allowing the impostor to proceed as an authenticated user.
- Impact is achieved when weak liveness controls permit fraudulent onboarding, account takeover, or false identity proofing at scale.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- Salt Typhoon US telecoms breach — Salt Typhoon APT used stolen credentials and Cisco CVE to breach US telecoms.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Biometric liveness is a human identity assurance control, not a marketing feature. The article correctly shifts attention from product claims to verifiable testing, which is how IAM teams should evaluate any control that underpins onboarding or step-up authentication. In regulated identity journeys, the real question is whether the control can withstand presentation attacks under repeatable standards, not whether the interface feels seamless. Practitioners should treat liveness as an evidence problem tied to assurance outcomes.
APCER and BPCER should be read as dual governance signals, not just lab metrics. A solution that catches spoofing but rejects legitimate users at an unacceptable rate pushes risk into manual review and exception handling, where controls usually weaken. That means biometric assurance and user experience are coupled governance decisions, especially in high-volume onboarding flows. Practitioners need to evaluate both error types before they decide the control is fit for purpose.
Independent validation is the boundary between trust and self-attestation. When a biometric vendor cites certification, the practical value comes from third-party methodology, not the claim itself. This is where human IAM governance aligns with compliance evidence, because organisations must be able to justify why a biometric assertion was accepted in the first place. Practitioners should require accredited proof before allowing liveness to influence trust decisions.
Biometric assurance needs lifecycle thinking because trust degrades outside the test lab. Certification shows how a system performed under a defined condition, but production environments introduce new devices, capture paths, and fraud patterns. That creates a governance gap between tested capability and deployed reality. Practitioners should manage liveness as a monitored identity control with periodic revalidation, not as a one-time purchase criterion.
From our research:
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs , Key Challenges and Risks.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, which is why identity teams cannot treat credential handling as a side issue.
- That evidence connects directly to NHI Lifecycle Management Guide, where provisioning, rotation, and offboarding are treated as core controls rather than administrative tasks.
What this signals
Biometric assurance is becoming a lifecycle control, not a point-in-time certification decision. Once liveness checks feed onboarding or step-up flows, identity teams need to track how assurance behaves across device changes, user segments, and threat drift. The control boundary is wider than the certificate, which is why certification should inform governance rather than replace it.
The practical signal for programmes is straightforward: if the organisation cannot explain how a liveness result was produced, tested, and defended, it is not ready to rely on it in a high-trust identity flow. That is especially true when biometric evidence is being used alongside KYC, fraud controls, or regulated access decisions.
For practitioners
- Demand accredited test evidence Require ISO/IEC 30107-3 results from an independent lab and verify that the test scope matches your real capture flow, user population, and threat model.
- Evaluate APCER and BPCER together Reject any procurement review that highlights only spoof resistance or only false reject rates, because the control can fail either security or usability objectives.
- Validate the deployment context Test whether the certified performance still holds on the devices, camera quality, network conditions, and user journeys you actually run in production.
- Tie liveness to KYC evidence Document how biometric proofing supports onboarding, fraud controls, and auditability so that the assurance decision can be defended later.
Key takeaways
- ISO/IEC 30107-3 is the meaningful benchmark when teams need to judge whether liveness detection can withstand spoofing attempts.
- APCER and BPCER must be evaluated together because attack resistance and user rejection are different failure modes with different business costs.
- Independent lab validation turns biometric assurance into evidence that IAM and compliance teams can defend, not just a vendor claim.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST SP 800-63 and NIST CSF 2.0 set the technical controls, while GDPR and ISO/IEC 27001:2022 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | SP 800-63A | Identity proofing guidance applies to biometric onboarding and liveness validation. |
| NIST CSF 2.0 | PR.AA-1 | Identity proofing and authentication are central to the article’s human assurance focus. |
| GDPR | Art.32 | Biometric processing and identity verification raise security-of-processing obligations. |
| ISO/IEC 27001:2022 | A.5.15 | Access control governance applies to biometric-backed identity decisions. |
Assess whether liveness controls support appropriate technical and organisational protection under Art.32.
Key terms
- Presentation Attack Detection: Presentation attack detection is the set of tests and controls used to determine whether a biometric sample comes from a live person or a spoofing attempt. In practice, it is the security layer that tries to distinguish real capture from masks, replays, printed images, or synthetic presentation.
- APCER: APCER is the rate at which a biometric system incorrectly accepts an attack presentation as genuine. It is a direct measure of spoof resistance and matters most when the identity decision carries fraud, onboarding, or access risk.
- BPCER: BPCER is the rate at which a biometric system incorrectly rejects a legitimate user. It matters because identity security that creates too many false rejects often drives manual workarounds, exception handling, and weaker operating behaviour.
- Biometric Assurance: Biometric assurance is the confidence an organisation has that a biometric signal supports the intended identity decision. It depends on testing method, deployment context, error rates, and governance evidence, not just on whether the system is marketed as liveness-enabled.
What's in the full article
Oz Forensics' full article covers the operational detail this post intentionally leaves for the source:
- Vendor-specific guidance on selecting ISO/IEC 30107-3 Level 2 or higher for biometric assurance
- The article’s checklist for reviewing independent lab credentials and certification scope
- Practical notes on transparent APCER and BPCER reporting for procurement decisions
- How passive liveness is positioned for onboarding efficiency and reduced manual review
👉 Oz Forensics' full post covers certification levels, error metrics, and vendor evaluation criteria.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or operational governance, it is worth exploring.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org