Best Passive Liveness Detection for Banks in 2026
A 2026 buyer comparison of passive liveness detection for banks, weighted for onboarding friction, anti-spoofing strength, and regulatory fit.
Banks entering 2026 face a procurement question that did not exist at this scale five years ago: how to confirm that the face in front of the camera belongs to a living person, without asking that person to do anything at all. The pressure comes from two directions at once. Fraud teams are absorbing a flood of generative attacks aimed at remote account opening, while growth teams are watching qualified applicants abandon onboarding flows that demand too many steps. Passive liveness detection sits exactly between those two pressures, and choosing the right approach has become one of the more consequential identity decisions a financial institution makes.
"Fraud attempts using deepfakes increased by 2,137% over the last three years," reported Signicat in its 2024 study with the Aite-Novarica Group, which also found deepfakes are now among the most common digital identity fraud methods seen in financial services.
What passive liveness detection means for bank identity verification
Passive liveness detection determines whether a camera is seeing a real, physically present human rather than a photo, screen replay, printed mask, or injected deepfake stream, and it does so without instructing the user to blink, smile, turn their head, or follow a moving dot. The analysis happens on a single frame or a short ambient capture, using signals the applicant never has to perform. This is the structural difference from active or "challenge-response" liveness, where the user is asked to complete a gesture so the system can watch them do it.
For bank identity verification, the distinction is not cosmetic. Every added instruction in an onboarding flow is a point where applicants drop out, where elderly or low-dexterity users struggle, and where accessibility complaints accumulate. A no-friction liveness check removes those steps while still producing a presentation attack detection (PAD) decision. The underlying methods vary, and they matter for both security and customer experience:
- Texture and micro-detail analysis, which inspects skin, moire patterns from screens, and printing artifacts.
- Remote photoplethysmography (rPPG), which infers blood-flow pulse signals from subtle skin color changes a static spoof cannot reproduce.
- 3D depth and reflectance inference from a 2D image, separating a flat surface from a real face.
- Injection-attack and virtual-camera detection, which checks whether the video feed entered through a real device sensor or was piped in by software.
The strongest banking deployments combine several of these rather than relying on any single cue, because attackers optimize against whatever signal is published.
Comparing passive liveness approaches for banking onboarding
The table below weights the major approaches the way a banking buyer should: onboarding friction first, then anti-spoofing depth, then operational fit. No single column wins outright, which is why layered systems dominate serious deployments.
| Approach | Onboarding friction | Anti-spoofing strength | Deepfake / injection resistance | Best fit for banks |
|---|---|---|---|---|
| Passive single-frame texture analysis | Very low | Moderate against print/replay | Limited on its own | High-volume retail account opening |
| Passive rPPG (pulse-based) | Very low | Strong against static and 2D spoofs | Strong against printed/mask attacks | High-assurance onboarding, lending |
| Passive 3D/depth inference | Very low | Strong against photos and masks | Moderate against synthetic video | Mobile-first onboarding |
| Active challenge-response | High | Strong against simple replays | Weak against scripted deepfakes | Step-up only, not primary flow |
| Layered passive (texture + rPPG + injection checks) | Low | High | High | Regulated banking onboarding in 2026 |
A point worth flagging: active challenge-response, long treated as the safer option, has aged badly against generative attacks. A deepfake model can be scripted to "blink" or "turn" on cue, so the gesture an active system trusts is the same gesture a synthetic puppet can fake. Passive systems that look for involuntary biological signals and capture provenance are harder to script against, which has reshaped how anti-spoofing for banking is evaluated.
Industry applications across banking workflows
Remote account opening and eKYC
The highest-volume use case is digital onboarding, where a no-friction liveness check directly protects conversion. Banks measure abandonment at every screen, and replacing a multi-step gesture sequence with a single passive capture reduces the number of moments an applicant can quit. The 2026 priority is pairing that smooth experience with PAD strong enough to satisfy KYC obligations.
Lending and high-value transactions
Loan origination and large transfers warrant higher assurance. Here passive liveness often runs alongside document verification and device intelligence, with rPPG or injection detection carrying extra weight. The Indonesian bank case widely reported in late 2024, in which over 1,100 deepfake attempts targeted a digital loan application process with exposure estimated in the hundreds of millions of dollars, illustrates why lending flows cannot rely on appearance matching alone.
Account recovery and step-up authentication
Account takeover frequently routes through recovery flows. Passive liveness lets a bank re-confirm a living human at a sensitive moment without forcing legitimate customers through friction that drives support calls. Because the check is invisible, it can be applied more often without degrading experience.
Current research and evidence
The threat data behind these decisions has firmed up considerably. Entrust, in its 2025 Identity Fraud Report, found that a deepfake attempt was occurring roughly every five minutes during 2024, alongside a 244% rise in digital document forgeries year over year. FinTech Magazine, citing 2025 industry analysis, reported that deepfakes now account for around 20% of biometric fraud attempts, a share expected to climb as generative tools get cheaper.
On the defensive side, the relevant benchmark is ISO/IEC 30107-3, the international standard for testing presentation attack detection, supplemented by independent iBeta PAD evaluations at Level 1 and Level 2. These frameworks measure two error types banks should never conflate: the Attack Presentation Classification Error Rate (APCER), how often a spoof slips through, and the Bona Fide Presentation Classification Error Rate (BPCER), how often a real person is wrongly rejected. A vendor advertising a very low APCER while hiding its BPCER may be quietly rejecting legitimate customers, which is its own form of onboarding failure.
Researchers and reports across the sector converge on the same conclusion. Signicat's work with the Aite-Novarica Group documented the 2,137% three-year rise in deepfake fraud attempts, while analyses from outlets such as Forbes have detailed how injection attacks bypass camera-based checks by feeding synthetic streams through virtual cameras rather than presenting a spoof to a real lens. That distinction, presentation attack versus injection attack, is now central to evaluation, because a system that only inspects image content can be blind to a feed that never touched a sensor.
The future of passive liveness detection in banking
Three shifts are likely to define the next two years. First, injection-attack detection will move from a premium add-on to a baseline expectation, because the cheapest deepfake attacks no longer bother holding a phone up to a camera. Second, regulators will keep tightening remote identity proofing expectations, and standards-aligned, auditable PAD results will become part of the evidence banks must retain rather than a marketing claim. Third, evaluation will become continuous: rather than certifying a model once, banks will expect ongoing testing against new attack types, because the generative tooling on the other side updates monthly.
The frictionless onboarding security goal that once felt like a tradeoff against safety is becoming the opposite. The methods that remove user effort, such as ambient passive capture, pulse inference, and provenance checks, are also the ones hardest for a scripted attacker to satisfy. Banks that treat passive liveness as a single feature will struggle; those that treat it as a layered, continuously tested capability are positioned to reduce both fraud loss and abandonment at the same time.
Frequently asked questions
Is passive liveness detection secure enough for regulated banking?
When layered, yes. A single passive signal can be defeated, but combining texture analysis, biological signals like rPPG, and injection-attack detection raises the cost of a successful spoof substantially. Banks should require ISO/IEC 30107-3 aligned testing and review both APCER and BPCER rather than a single headline number.
How is passive liveness different from active liveness?
Active liveness asks the user to perform an action, such as blinking or turning, and watches them complete it. Passive liveness reaches a decision from a normal capture with no instructions. Active methods add friction and, critically, can be defeated by deepfakes scripted to perform the requested gesture on cue.
Does passive liveness stop deepfakes and injection attacks?
Presentation-based passive detection addresses spoofs shown to a camera. Stopping injected synthetic video also requires camera-provenance and virtual-camera detection, which confirm the feed entered through a real device sensor. Banks in 2026 should treat both as mandatory, not optional.
What metrics should a banking buyer ask for?
Ask for APCER and BPCER from independent ISO/IEC 30107-3 testing, the specific attack instruments used in evaluation, injection-attack coverage, demographic performance data, and evidence of ongoing retesting against new attack types rather than a one-time certificate.
Circadify is building toward this layered model of passive liveness, combining presentation attack detection with biological and provenance signals designed for high-assurance banking onboarding. Identity platform teams and banking CISO groups evaluating their 2026 stack can review the technical approach and request a demonstration through the fraud detection integration guide.