Selfie & Liveness Detection Guide

Passive liveness analyzes a single selfie for signs of a live person, requiring no user action.

What passive liveness checks:

• Natural skin texture and micro-expressions
• 3D depth cues from lighting and shadows
• Reflection patterns in eyes (screen reflections are telltale)
• Image quality characteristics (screens have pixel patterns)
• Moiré patterns from photographing screens

Advantages of passive:

• Minimal user friction (just take a selfie)
• Fast processing (single image analysis)
• Works on low-end devices
• No accessibility concerns

Limitations:

• Lower accuracy than active methods
• More susceptible to sophisticated attacks
• Harder to detect high-quality masks

Passive liveness is often sufficient for low-risk scenarios or as a first-pass filter before active liveness.

Active liveness requires users to perform specific actions that are difficult to fake with static images or pre-recorded videos.

Common active challenges:

• Head movements: Turn left, right, up, down
• Expressions: Smile, blink, open mouth
• Verbal: Speak randomly generated numbers
• Object interaction: Move phone in specific pattern

Randomization is key: Challenges must be unpredictable. If a fraudster knows the sequence, they can pre-record responses. Generate challenges in real-time and validate timing.

Advantages of active:

• Higher accuracy against spoofing
• Catches replay attacks
• Can incorporate audio verification

Limitations:

• Higher user friction (takes longer)
• Accessibility concerns (some users can't perform actions)
• Requires video capture capability

Active liveness is appropriate for high-risk scenarios: large transactions, sensitive account changes, initial onboarding for regulated services.

Deepfake technology makes it easier to generate convincing fake videos, challenging traditional liveness detection.

How deepfakes attack liveness:

• Real-time face swapping with victim's face
• Generated video responding to challenges
• Audio synthesis for voice challenges

Deepfake detection approaches:

• Artifact detection: Look for generation artifacts (blending boundaries, inconsistent lighting)
• Temporal analysis: Unnatural micro-movements, blinking patterns
• Physiological signals: Subtle signals like pulse (visible in face) are hard to fake
• Behavioral analysis: Response timing, natural hesitation

Defense in depth: No single detection method catches all deepfakes. Combine:

• Multiple liveness challenges
• Device integrity verification
• Behavioral analysis
• Continuous monitoring (not just at verification)

The deepfake arms race continues. Systems must continuously update detection models as generation techniques improve.

Injection attacks bypass the camera entirely, feeding manipulated data directly into the verification system.

How injection attacks work:

• Modified apps that skip camera capture
• Virtual cameras feeding pre-recorded video
• API manipulation sending fake images directly
• Emulators running modified verification flows

Detection and prevention:

• App integrity checks: Detect rooted/jailbroken devices, app tampering
• Device attestation: Verify genuine device with manufacturer certificates
• Camera verification: Confirm images come from actual camera hardware
• Behavioral signals: Injection often has unnatural timing and interaction patterns
• Server-side validation: Don't trust client-side liveness decisions

Implementation guidance:

• Use SDKs with built-in injection protection
• Verify device integrity before starting verification
• Monitor for anomalous patterns across your user base
• Update detection continuously as attack methods evolve