One Constellation
Book a Demo
KYC & Customer Onboarding

eKYC Liveness Detection and Biometric Verification Explained

Liveness detection and biometric face matching now sit at the centre of every digital onboarding flow that meets modern regulatory standards. This guide explains how the technology works, the difference between active and passive liveness, ISO 30107-3 Presentation Attack Detection levels, and what regulators across MAS, RBI, eIDAS, and FinCEN actually accept.

Published: May 2026 Category: KYC & Customer Onboarding Read time: ~9 minutes
Quick Answer
eKYC liveness detection is the technology that confirms the person presenting an identity document during digital onboarding is a real, present human being — not a photograph, video replay, mask, or deepfake. It works alongside biometric face matching, which confirms that the person is the same person whose face appears on the identity document. The combination — document authentication + face match + liveness — is the standard for compliant remote identity verification across major regulatory regimes including MAS guidance for digital onboarding, India's Aadhaar-based eKYC, the EU eIDAS regulation's qualified-trust frameworks, and FinCEN guidance for non-face-to-face onboarding. Liveness detection is evaluated against the ISO/IEC 30107-3 standard for Presentation Attack Detection (PAD), with PAD Level 1 covering basic spoofing attempts (printed photos, video replay) and PAD Level 2 covering sophisticated attacks (3D masks, deepfakes). Modern eKYC platforms target PAD Level 2 conformance to address current deepfake threat models.

Five years ago, the question for compliance teams was whether digital onboarding could be trusted at all. Today, the question is which liveness and biometric methods meet the current regulatory standard. The shift has been driven by both regulatory acceptance — every major regime now permits digital onboarding under defined conditions — and by deepfake technology — which has made the historical defence of "a photo can't talk" obsolete.

The technology now in production at major banks and fintechs is genuinely sophisticated. It is also evolving rapidly because the attack surface evolves rapidly. Understanding what liveness detection does, what the PAD levels mean, and what regulators specifically expect is now a baseline requirement for anyone designing or evaluating a digital onboarding flow.

What Liveness Detection Actually Does

Liveness detection answers a specific question: is the face presented to the camera right now attached to a real, living person physically present at the device? The threats it must defend against are concrete:

The presentation attacks liveness detection must defeat:

  • Printed photographs — a paper photo of the target person held up to the camera.
  • Screen replay — a video or image of the target person displayed on a phone or tablet held up to the camera.
  • 3D masks — silicone or 3D-printed masks of the target person's face.
  • Deepfakes — AI-generated synthetic video of the target person, played live or pre-rendered, increasingly capable of responding to challenges.
  • Injection attacks — malicious software intercepting the camera feed and substituting a manipulated stream.

These threats are not theoretical. Documented attacks at production scale have used each of these techniques. A liveness system that defeats only printed photographs is no longer sufficient — the threat model has moved on.

Active vs Passive Liveness

Liveness detection comes in two architectural styles. Modern eKYC platforms typically combine both for layered defence.

1

Active Liveness

Active liveness asks the user to perform a specific action — turn their head, blink, smile, follow a moving target on screen, or speak a randomly-generated phrase. The system verifies that the response matches the prompt and is performed in real time. Active liveness defeats most static-image attacks because a photograph cannot turn its head in response to a prompt. It is also more visible to the user — they know a check is happening — which is sometimes preferred from a transparency perspective.

2

Passive Liveness

Passive liveness analyses the captured image or short video for signs of liveness without requiring user action — micro-movements, depth cues, skin texture, lighting reflections, sub-pixel artefacts of screen replay or printed paper. The user simply looks at the camera; the system makes its determination from the captured data. Passive liveness is faster and lower-friction; it is also harder to evaluate because the user cannot see whether the check is happening.

The most secure systems combine both — passive analysis on every capture, active challenges in higher-risk flows or as a confirmation step. The combined system is harder to spoof than either alone.

ISO/IEC 30107-3: The PAD Standard

ISO/IEC 30107-3 is the international standard for evaluating Presentation Attack Detection in biometric systems. It is the reference any sophisticated regulator or buyer will ask about. Independent labs (iBeta, BixeLab, FIME, others) test biometric systems against the standard and certify their PAD level.

The two PAD levels currently relevant to eKYC:

  • PAD Level 1 — defends against basic, low-effort attacks: printed photos, screen replay of static images, simple paper masks. Most modern systems achieve PAD Level 1 readily.
  • PAD Level 2 — defends against sophisticated attacks: high-quality 3D masks, deepfake video, advanced injection attacks. PAD Level 2 conformance is the current bar for high-stakes use cases — banking onboarding, payment-account opening, regulated high-value KYC.

ISO 30107-3 evaluation produces two key metrics: APCER (Attack Presentation Classification Error Rate — the proportion of attack attempts misclassified as genuine) and BPCER (Bona Fide Presentation Classification Error Rate — the proportion of genuine attempts misclassified as attacks). A useful liveness system has low APCER (catches the attacks) and low BPCER (does not reject legitimate users). The trade-off between them is set by threshold tuning — and like all such trade-offs, it must be tuned to the use case.

The Deepfake Problem

Synthetic media has changed the threat model for liveness detection in the last 24 months. Deepfake video is now capable of responding to active liveness prompts — turning the head, blinking, smiling, even lip-syncing to spoken phrases. The historical assumption that a sufficiently demanding active challenge would defeat impersonation no longer holds without specific deepfake defences.

Modern liveness platforms address deepfakes through three layers. Frame-level analysis detects sub-pixel artefacts that synthetic generation produces but real cameras do not. Temporal analysis looks at consistency across the video — real faces have micro-movements that deepfake generators struggle to reproduce reliably. Channel integrity ensures the captured stream actually came from the device camera, defending against injection attacks that might substitute a deepfake stream into the pipeline.

The arms race here is real and ongoing. A liveness vendor whose deepfake defences have not been updated in 12 months is presumptively behind the threat model. Any procurement evaluation should include current deepfake testing on the vendor's actual production system.

Injection Attacks
Injection attacks bypass the camera entirely — malicious software hooks into the device's biometric pipeline and feeds it a manipulated video stream from another source. This is the most sophisticated attack class in production use. Defending against injection requires hardware-attested capture (where the device cryptographically attests that the captured video came from the camera), end-to-end encryption from camera to verification backend, and continuous monitoring for anomalies in the captured-stream metadata.

What Regulators Accept

Regulatory acceptance of digital identity verification has converged across major jurisdictions, with consistent principles even where the specific rules differ.

The major jurisdictional positions on digital eKYC and liveness:

  • Singapore (MAS): Permits non-face-to-face customer onboarding subject to enhanced safeguards including liveness-checked biometric verification; the Myinfo digital identity service provides an alternative authoritative source.
  • India (RBI / UIDAI): Aadhaar-based eKYC with biometric authentication is the dominant authoritative method; video-based KYC permitted under structured RBI guidance.
  • European Union (eIDAS): Qualified Trust Service Providers can issue identity assertions usable for KYC; non-QTSP digital onboarding permitted but subject to national-regulator interpretation.
  • United States (FinCEN, OCC, FFIEC): Risk-based; non-face-to-face onboarding permitted with appropriate enhanced verification including liveness and biometric matching.
  • United Kingdom (FCA, JMLSG): Risk-based; JMLSG guidance specifically addresses electronic verification and accepts liveness-based biometric methods.

Across all these regimes, the consistent themes are: digital onboarding is permitted, biometric liveness is the expected control, the firm must select methods proportionate to risk, and the firm must document why the chosen method is sufficient. See our broader CDD guide for the underlying due diligence framework.

eKYC Onboarding That Beats the Current Threat Model

One Constellation's KYC platform combines document authentication, biometric face matching, and ISO 30107-3 PAD Level 2 liveness detection — with deepfake and injection-attack defences kept current to current threats.

Book a Demo Explore Our KYC Platform
← CDD Guide UBO Verification → All Articles
Scroll to Top