TL;DR: Liveness security is only as credible as the underlying testing standard, with ISO/IEC 30107-3, independent lab validation, and transparent APCER and BPCER metrics used to separate real presentation-attack resistance from marketing claims, according to Oz Forensics. In practice, biometric programmes should treat certification as a control evidence problem, not a feature checklist.
NHIMG editorial — based on content published by Oz Forensics: How to Choose a Liveness Solution That Actually Works?
By the numbers:
- For a system to pass Level 2, it must maintain a BPCER/FNMR below 15%.
Questions worth separating out
Q: How should security teams evaluate a liveness solution for onboarding?
A: Start with evidence, not feature claims.
Q: Why do biometric controls need independent validation?
A: Because self-attestation does not prove attack resistance.
Q: When does liveness detection become more than a usability choice?
A: It becomes mandatory whenever biometric proofing affects fraud risk, regulated onboarding, or access decisions where false acceptance has material impact.
Practitioner guidance
- Demand accredited test evidence Require ISO/IEC 30107-3 results from an independent lab and verify that the test scope matches your real capture flow, user population, and threat model.
- Evaluate APCER and BPCER together Reject any procurement review that highlights only spoof resistance or only false reject rates, because the control can fail either security or usability objectives.
- Validate the deployment context Test whether the certified performance still holds on the devices, camera quality, network conditions, and user journeys you actually run in production.
What's in the full article
Oz Forensics' full article covers the operational detail this post intentionally leaves for the source:
- Vendor-specific guidance on selecting ISO/IEC 30107-3 Level 2 or higher for biometric assurance
- The article’s checklist for reviewing independent lab credentials and certification scope
- Practical notes on transparent APCER and BPCER reporting for procurement decisions
- How passive liveness is positioned for onboarding efficiency and reduced manual review
👉 Read Oz Forensics' analysis of ISO/IEC 30107-3 liveness certification →
Liveness certification and biometric onboarding controls: what matters now?
Explore further
Biometric liveness is a human identity assurance control, not a marketing feature. The article correctly shifts attention from product claims to verifiable testing, which is how IAM teams should evaluate any control that underpins onboarding or step-up authentication. In regulated identity journeys, the real question is whether the control can withstand presentation attacks under repeatable standards, not whether the interface feels seamless. Practitioners should treat liveness as an evidence problem tied to assurance outcomes.
A few things that frame the scale:
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs , Key Challenges and Risks.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, which is why identity teams cannot treat credential handling as a side issue.
A question worth separating out:
Q: What should teams do if a certified biometric system still creates too many false rejects?
A: Treat the error rate as a governance issue, not only a product issue. High false rejects can shift work into manual review, delay onboarding, and create inconsistent exceptions. Reassess whether the control is fit for the specific identity journey, device mix, and user population.
👉 Read our full editorial: ISO/IEC 30107-3 is the real test for liveness security