Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Biometric injection attacks: are your identity controls actually proven?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9059
Topic starter  

TL;DR: Biometric systems can pass presentation attack tests and still fail against injection attacks, a gap highlighted by CEN/TS 18099 and iProov’s 40-day evaluation, which found no successful injection method could be established under Ingenium Level 4 testing. The real issue is that proof of resistance now depends on independent, standards-aligned validation, not vendor claims.

NHIMG editorial — based on content published by iProov: CEN/TS 18099 and the validation gap for deepfake injection attacks

By the numbers:

Questions worth separating out

Q: How should organisations evaluate biometric controls for both spoofing and injection risk?

A: They should assess presentation attack detection and injection attack resilience separately, because the controls and test methods are different.

Q: Why do biometric systems that pass liveness testing still create risk?

A: Because liveness testing often covers only presentation attacks, not injection attacks that bypass the sensor entirely.

Q: What do security teams get wrong about biometric assurance claims?

A: They often treat a single certification or internal evaluation as proof of broad resilience.

Practitioner guidance

  • Require separate evidence for PAD and injection resilience Treat presentation attack detection and injection attack resilience as distinct acceptance criteria in procurement and risk reviews.
  • Demand lab-level proof, not internal test narratives Reject validation packs that rely only on vendor documentation, diagrams, or spoof bounty results in non-production environments.
  • Map biometric controls to the right threat class Document whether each biometric control is intended to resist presentation attacks, injection attacks, or both, and record that mapping in your control library.

What's in the full article

iProov's full blog post covers the operational detail this post intentionally leaves for the source:

  • The full explanation of how CEN/TS 18099 distinguishes attack delivery from attack payload in biometric testing.
  • The Ingenium Level 4 evaluation context, including how extended testing increases assurance beyond the baseline standard.
  • The specific relationship between iBeta, FIDO Face Verification Certification, and the broader evidence stack for biometric procurement.
  • The article's discussion of accessibility, operational security, and regulatory validation signals around future standardisation.

👉 Read iProov's analysis of CEN/TS 18099 and deepfake injection resilience →

Biometric injection attacks: are your identity controls actually proven?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8498
 

Injection attack resilience is now a separate assurance domain, not an extension of presentation attack detection. The standards gap is structural: ISO/IEC 30107 evaluates what reaches the camera, while CEN/TS 18099 evaluates what enters the pipeline. A control can satisfy PAD requirements and still fail against deepfake injection because the threat model changed from spoofing a sensor to subverting the data path. Practitioners should treat these as different assurance questions, not adjacent ones.

A few things that frame the scale:

  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
  • 79% of organisations have experienced secrets leaks, and 77% of those incidents resulted in tangible damage, according to Ultimate Guide to NHIs.

A question worth separating out:

Q: What should procurement teams ask before accepting deepfake resistance claims?

A: They should ask which independent lab tested the control, against which standard, and at what assurance level. They should also confirm whether the test covered injection attacks as well as presentation attacks, because the two failure modes are not interchangeable. If the answer is vague, the control is unverified rather than proven.

👉 Read our full editorial: CEN/TS 18099 exposes the biometric injection validation gap



   
ReplyQuote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8498
 

Injection attack resilience is now a separate assurance domain, not an extension of presentation attack detection. The standards gap is structural: ISO/IEC 30107 evaluates what reaches the camera, while CEN/TS 18099 evaluates what enters the pipeline. A control can satisfy PAD requirements and still fail against deepfake injection because the threat model changed from spoofing a sensor to subverting the data path. Practitioners should treat these as different assurance questions, not adjacent ones.

A few things that frame the scale:

  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
  • 79% of organisations have experienced secrets leaks, and 77% of those incidents resulted in tangible damage, according to Ultimate Guide to NHIs.

A question worth separating out:

Q: What should procurement teams ask before accepting deepfake resistance claims?

A: They should ask which independent lab tested the control, against which standard, and at what assurance level. They should also confirm whether the test covered injection attacks as well as presentation attacks, because the two failure modes are not interchangeable. If the answer is vague, the control is unverified rather than proven.

👉 Read our full editorial: CEN/TS 18099 exposes the biometric injection validation gap



   
ReplyQuote
Share: