Liveness Detection

Liveness Detection -- Preventing Biometric Spoofing

Liveness detectionLiveness detectionBiometricAnti-spoofing verification that biometric input is from a live person.Click to view → (also called Presentation Attack Detection or PAD) is an anti-spoofing technology that verifies a biometric sample originates from a living person rather than an artificial replica -- a silicone fingerprint mold, a printed photograph, a 3D mask, or a replay of a captured biometric signal. In smart card systems, liveness detection is a critical defense layer that protects Match-On-Card biometric verification from being defeated by physical spoofs.

Detection Methods

Liveness detection techniques fall into two categories. Hardware-based methods use sensor characteristics to detect vitality signs: capacitive fingerprint sensors in biometric payment cards can measure sub-dermal features (blood flow, skin conductivity, pulse oximetry) that a silicone mold cannot replicate. Software-based methods analyze the biometric sample algorithmically, looking for texture patterns, spectral signatures, or motion characteristics that distinguish real tissue from artificial materials.

Implementation in Smart Card Systems

For biometric payment cards, liveness detection is typically integrated into the fingerprint sensor module rather than the card's secure element, since sensor-level detection can reject spoofs before any matching computation begins. The sensor firmware applies a liveness score to each captured sample; only samples exceeding the liveness threshold are forwarded to the card for MOC template matching. This two-stage pipeline -- liveness check followed by biometric match -- provides defense in depth without increasing on-card processing latency.

Standards and Evaluation

ISO/IEC 30107 defines a framework for testing and reporting presentation attack detection performance. The standard introduces metrics such as APCER (Attack Presentation Classification Error Rate) -- the proportion of attack presentations incorrectly classified as genuine -- and BPCER (Bona Fide Presentation Classification Error Rate) -- the proportion of genuine presentations incorrectly classified as attacks. These metrics complement the FAR/FRR framework by quantifying the systems resilience to deliberate spoofing attempts rather than just passive classification errors.