Biometric injection attacks: are your identity controls actually proven?

TL;DR: Biometric systems can pass presentation attack tests and still fail against injection attacks, a gap highlighted by CEN/TS 18099 and iProov’s 40-day evaluation, which found no successful injection method could be established under Ingenium Level 4 testing. The real issue is that proof of resistance now depends on independent, standards-aligned validation, not vendor claims.

NHIMG editorial — based on content published by iProov: CEN/TS 18099 and the validation gap for deepfake injection attacks

By the numbers:

• CEN/TS 18099 addresses a gap that became more urgent after injection attacks grew 740% on iOS in 2025.
• iProov’s evaluation ran for 40 days and assessed at least three distinct injection attack methods and fifteen attack instruments.
• The Bona Fide Presentation Classification Error Rate was 1.3%, well below the 15% threshold required by the standard.

Questions worth separating out

Q: How should organisations evaluate biometric controls for both spoofing and injection risk?

A: They should assess presentation attack detection and injection attack resilience separately, because the controls and test methods are different.

Q: Why do biometric systems that pass liveness testing still create risk?

A: Because liveness testing often covers only presentation attacks, not injection attacks that bypass the sensor entirely.

Q: What do security teams get wrong about biometric assurance claims?

A: They often treat a single certification or internal evaluation as proof of broad resilience.

Practitioner guidance

• Require separate evidence for PAD and injection resilience Treat presentation attack detection and injection attack resilience as distinct acceptance criteria in procurement and risk reviews.
• Demand lab-level proof, not internal test narratives Reject validation packs that rely only on vendor documentation, diagrams, or spoof bounty results in non-production environments.
• Map biometric controls to the right threat class Document whether each biometric control is intended to resist presentation attacks, injection attacks, or both, and record that mapping in your control library.

What's in the full article

iProov's full blog post covers the operational detail this post intentionally leaves for the source:

• The full explanation of how CEN/TS 18099 distinguishes attack delivery from attack payload in biometric testing.
• The Ingenium Level 4 evaluation context, including how extended testing increases assurance beyond the baseline standard.
• The specific relationship between iBeta, FIDO Face Verification Certification, and the broader evidence stack for biometric procurement.
• The article's discussion of accessibility, operational security, and regulatory validation signals around future standardisation.

👉 Read iProov's analysis of CEN/TS 18099 and deepfake injection resilience →

Biometric injection attacks: are your identity controls actually proven?

Explore further

View Full Forum →  |  NHI Foundation Course →