By NHI Mgmt Group Editorial TeamPublished 2024-05-28Domain: Governance & RiskSource: Ping Identity

TL;DR: Biometric authentication can still be spoofed by deepfakes, replay attacks, and presentation attacks, and the source article argues that liveness detection adds proof of presence across onboarding, recovery, and high-value transactions, according to Ping Identity. The governance issue is not biometrics themselves, but the assumption that a matching face or voice is enough without live-presence verification.

At a glance

What this is: This is a practitioner guide to liveness detection, showing how it helps confirm biometric samples come from a live person rather than a photo, video, mask, or deepfake.

Why it matters: It matters because biometric assurance increasingly sits inside human IAM and account recovery flows, where spoofed identity can become account takeover, fraud, or unauthorized privilege escalation.

By the numbers:

👉 Read Ping Identity's guide to liveness detection and biometric fraud

Context

Liveness detection is the control that checks whether a biometric sample comes from a live person at the moment of authentication, not from a photo, replayed video, mask, or synthetic media. In practice, it sits inside human identity assurance, where biometrics alone no longer prove that the person presenting them is physically present or genuinely acting now.

The governance gap is straightforward: many organisations still treat a biometric match as enough, even as AI-generated audio and video attacks make spoofing cheaper and more convincing. That leaves onboarding, recovery, passwordless login, and high-value transactions exposed unless liveness is layered into the identity decision.

For teams building stronger identity assurance, the useful frame is not just fraud prevention. It is whether your authentication flow can distinguish a real user from a convincing replay at the exact point where trust is granted.

Key questions

Q: How should security teams use liveness detection in biometric login flows?

A: Use liveness detection wherever a biometric result would unlock meaningful access, especially in onboarding, recovery, and step-up authentication. The control should confirm live presence before the system trusts the match. Teams get the best results when they combine it with device trust, risk scoring, and recovery controls instead of treating it as a standalone gate.

Q: Why do biometrics need liveness detection if they already match the user?

A: A biometric match only shows similarity to an enrolled sample. It does not prove the sample came from a live person in real time. Liveness detection closes that gap by checking for cues that photos, masks, replays, and synthetic media struggle to imitate consistently, which is why it matters most in remote and high-risk identity flows.

Q: What do organisations get wrong about biometric fraud prevention?

A: They often assume that a successful face or voice match means the identity is trustworthy. In practice, the attack is frequently about how the sample is presented, not whether it resembles the right person. The right model is layered assurance, where liveness, device context, and transaction risk all influence the decision.

Q: Should organisations use active or passive liveness detection?

A: Choose based on risk and user friction. Active liveness is stronger in visible challenge scenarios but adds more friction, while passive liveness is smoother and better for high-volume or lower-friction flows. Most mature programmes use a hybrid model, reserving active challenges for higher-risk events and using passive checks elsewhere.

Technical breakdown

Presentation attacks vs injection attacks

Liveness systems are designed to detect two broad failure modes. Presentation attacks happen when an attacker shows a fake face, mask, printed image, or replayed video to the camera. Injection attacks are different: fake content enters the capture pipeline directly, bypassing the camera feed itself. The control therefore has to inspect both the biometric signal and the path by which it arrives. That is why vendors often combine device checks, sensor validation, and model-based spoof detection instead of relying on a single match score.

Practical implication: map which identity flows are exposed to camera replay, synthetic media, or SDK injection and require liveness controls that cover both paths.

Active, passive, and hybrid liveness checks

Active liveness asks the user to perform a task such as blinking or turning their head. Passive liveness evaluates the sample in the background by examining texture, depth, lighting, and motion cues without extra user action. Hybrid approaches combine both, using passive checks by default and escalating to an active challenge when risk is higher. The trade-off is always security versus friction, which is why the correct mode depends on the transaction value, fraud exposure, and acceptable abandonment rate.

Practical implication: choose the liveness mode by risk tier, not by convenience alone, and reserve stronger challenges for onboarding, recovery, and high-value actions.

Why biometric matching is not proof of presence

A biometric match confirms similarity, not liveness. That distinction matters because a deepfake or replayed image can still resemble an enrolled face closely enough to pass a naive comparison. Liveness detection adds the missing proof of presence by checking real-time cues that are hard to fake consistently, such as involuntary motion, three-dimensional depth, or natural reflection patterns. Standards like ISO/IEC 30107-3 and CEN/TS 18099 exist because lab accuracy alone does not show resilience against realistic spoofing.

Practical implication: do not accept biometric matching as a standalone assurance signal in remote onboarding, recovery, or step-up verification.

NHI Mgmt Group analysis

Liveness detection is a human identity assurance control, not a biometric add-on. The article treats liveness as a way to verify presence at the moment trust is granted, which is the right framing for modern IAM. A biometric match without live-presence testing only proves similarity, not that the presenting user is real and current. For identity teams, the conclusion is that biometrics must be evaluated as part of the authentication decision chain, not as the decision itself.

AI-generated spoofing has turned biometric fraud into a governance problem. Deepfakes and replay attacks are no longer edge cases that only affect one channel or one sector. Once fraud tooling can mimic motion, texture, and voice at scale, the weak point becomes policy: which flows require live presence, which do not, and what evidence is acceptable for recovery or high-value transactions. Practitioners should treat this as an assurance policy design issue, not a point product selection exercise.

Biometric assurance must be layered with device and risk context. The article correctly notes that liveness works best when paired with MFA and registered-device constraints. That matters because a real user on an untrusted endpoint is a different risk from a real user on an enrolled device at the right moment. In practice, the strongest programmes tie liveness to device binding, transaction risk, and step-up policy so that presence, possession, and context reinforce each other.

Presentation attack detection should be named as a control family, not a feature claim. The useful named concept here is biometric presentation attack detection. That term captures the class of controls that look for photos, masks, deepfakes, and injected media rather than just comparing faces. Naming the control family helps teams ask the right question: where is live-presence validation mandatory, and where is a simple biometric match still too weak? The implication is clearer assurance design across onboarding, recovery, and payments.

Remote identity proofing now depends on whether the channel itself can be trusted. Once spoofing can target both the user and the capture pipeline, the channel becomes part of the identity boundary. That pushes authentication teams closer to fraud operations, because they need to think about presentation attacks, replay behaviour, and device trust together. The practical conclusion is that liveness cannot remain isolated inside a vendor evaluation matrix; it has to be embedded in identity governance.

From our research:

  • 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which shows how weak identity inventory remains across many programmes.
  • As teams tighten biometric assurance, the next step is to pair it with Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs so identity controls are governed across people, machines, and recovery paths.

What this signals

Biometric fraud is now an identity governance issue, not just a fraud ops issue: once deepfakes and replay attacks can impersonate presence, the real question is which identity journeys deserve proof-of-presence control. Teams should align liveness requirements to transaction risk, recovery privilege, and device trust rather than applying a universal policy.

The programme signal is clear: authentication strength must be evaluated at the point of trust grant, not at the point of match. A biometric that cannot distinguish live presence from synthetic replay belongs in the same risk conversation as weak device binding or over-broad recovery privilege.

For broader identity programmes, the useful pivot is to treat liveness as one layer in a wider assurance stack that includes human identity, secrets hygiene, and lifecycle governance. That is especially true when recovery flows can touch NHI-backed systems or privileged support paths.

For practitioners

  • Classify every biometric flow by fraud impact Separate low-risk sign-in, password recovery, onboarding, and high-value transactions. Require stronger liveness checks only where spoofed presence would create material account takeover or payment risk.
  • Require liveness for remote recovery and re-verification Do not allow biometric matching alone to unlock account recovery, especially when the action can reset credentials or bypass prior controls. Pair live-presence checks with step-up verification and device context.
  • Test for both presentation and injection attacks Validate that the control resists masks, replayed video, deepfakes, and SDK-level content injection. Use independent testing against relevant biometric attack standards rather than accepting lab-only accuracy claims.
  • Bind assurance to enrolled devices where possible Add device registration or trusted-device logic so that a live biometric alone cannot complete the flow from an unknown endpoint. This reduces the chance that a remote spoof can turn into account takeover.

Key takeaways

  • Biometric matching is not the same as proving a real person is present, and that gap is now exploitable at scale.
  • Liveness detection reduces account takeover and fraud risk by checking for live presence across onboarding, recovery, and high-value actions.
  • The strongest programmes layer liveness with device trust, transaction risk, and identity lifecycle controls instead of using it as a standalone control.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST SP 800-63 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST SP 800-63Liveness supports stronger identity proofing and authenticators in remote authentication flows.
NIST CSF 2.0PR.AA-01Authentication assurance depends on verifying that the presenting subject is genuine.
OWASP Non-Human Identity Top 10NHI-01Identity assurance failures often arise when trust is granted without verifying the true subject.

Use phishing-resistant and proofing-aware identity controls where biometric trust is part of enrollment or recovery.

Key terms

  • Liveness Detection: Liveness detection is the process of checking that a biometric sample comes from a live person in the present moment. It helps distinguish real users from photos, videos, masks, replay attacks, and synthetic media during authentication or identity proofing.
  • Presentation Attack: A presentation attack is when an attacker presents a fake biometric sample to a capture device, such as a printed face, mask, or replayed video. The goal is to fool the system at the point of capture rather than by breaking the credential itself.
  • Injection Attack: An injection attack bypasses the camera or microphone path by feeding manipulated content directly into the capture pipeline. In biometric fraud, this can defeat weak controls that only inspect what the user interface shows and not what the system actually receives.
  • Proof Of Presence: Proof of presence is evidence that the person presenting a biometric is physically and temporally present during the transaction. It is stronger than a match score because it addresses whether the biometric sample is live, current, and tied to the interaction being approved.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by Ping Identity: What Is Liveness Detection? Preventing Biometric Fraud. Read the original.

NHIMG Editorial Note
Published by the NHIMG editorial team on 2024-05-28.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org