Introduction

With deepfake threats escalating, not all liveness detection solutions are created equal. Certification—especially the ISO/IEC 30107‑3 standard—is the only reliable way to distinguish robust, battle-tested systems from superficial claims. Here’s what you need to know.

What ISO/IEC 30107-3 Covers (and Why It Matters)

ISO/IEC 30107‑3 sets the international benchmark for Presentation Attack Detection (PAD), defining how to test liveness systems using realistic spoofing attempts—such as masks, video replays, and print attacks.  It specifies error metrics:
     •             APCER (Attack Presentation Classification Error Rate) for spoof detection,
     •             BPCER (Bona Fide Presentation Classification Error Rate) for rejecting legitimate users.

Independent labs like iBeta, accredited under NIST/NVLAP, perform rigorous PAD evaluations under ISO 30107‑3. Tests are stratified into:
     •             Level 1: Basic spoof defenses using affordable artifacts.
     •             Level 2: Highly realistic spoof attacks. Tested systems must maintain a BPCER/FNMR below 15% to pass;

·         Level 3, where applicable, demands under 10%.

Key Benefits of Certification

·         Tangible Trust: A certified system demonstrates validated resistance to spoofing—critical in sectors like finance, healthcare, and government.

·         Regulatory Edge: Certification aligns with GDPR, eIDAS and KYC mandates, easing compliance burdens.

·         UX + Efficiency: Passive, certified systems reduce manual review needs, speed up onboarding, and enhance conversion.

What to Look For in a Vendor

a.      Certification Level: Prefer ISO 30107‑3 Level 2 or higher.

b.      Lab Credentials: Ensure testing was done by independent, accredited labs (e.g., iBeta).

c.      Error Transparency: Vendor should disclose APCER/BPCER or FNMR/FMR rates.

d.      Seamless Experience: Insist on passive or lightweight active methods for high user adoption.

e.      Ongoing Validation: Sourcing solutions that are continuously updated to counter new spoofing techniques is a must.

Example: Oz Liveness has passed

Choosing a liveness detection solution based on certifications rather than marketing claims isn’t just prudent—it’s essential. Ask for proof, insist on transparency, and align your security decisions with accredited standards.

The Regulatory Push: Why Independent Validation is No Longer Optional

In response to escalating threats, regulators worldwide are tightening requirements for digital identity verification. Frameworks like Europe’s GDPR and global Anti-Money Laundering (AML) directives demand robust Know Your Customer (KYC) processes.

Leading the charge in setting technical standards is the U.S. National Institute of Standards and Technology (NIST). Its guidelines, such as Special Publication 800-63-3, establish best practices for identity proofing and authentication. The message is clear: self-assessed security claims are no longer enough. The market now demands proof.

In this climate, relying solely on face recognition or manual checks is a liability. The only way to restore trust is through robust liveness detection— a technology that confirms a real, live human is behind every interaction.