How do banks tell a real face from a printed photo on camera?

The rapid shift to digital-first banking has transformed customer onboarding from a branch office activity to a remote process managed on a smartphone. While this offers immense convenience, it creates a critical security challenge for financial institutions: how to be certain the person in front of the camera is a real, live human and not a fraudulent impersonation? The question of how banks detect fake face printed photo attacks is central to the security of remote identity verification. Answering this requires a sophisticated, multi-layered approach known as Presentation Attack Detection (PAD), which analyzes subtle signals invisible to the human eye.

"According to industry analysis, as many as nine out of ten document-based fraud attempts are presentation attacks, where a fake biometric sample is presented to the sensor."

Understanding liveness detection and presentation attacks

At its core, a presentation attack is an attempt to fool a biometric system by presenting it with a fake artifact, such as a printed photograph, a video replay on a high-resolution screen, or even a sophisticated 3D mask. For banks and other regulated institutions, preventing these attacks is the primary goal of liveness detection technology.

The system must determine if the facial image captured by the camera belongs to a live person who is physically present. Early liveness detection systems relied on "active" methods, which required the user to perform an action like smiling, blinking, or turning their head. However, these methods introduce friction into the user experience and can be defeated by determined fraudsters using videos or articulated masks.

Today, the industry is moving toward passive liveness detection. This advanced method requires no action from the user. Instead, it uses sophisticated algorithms to analyze the captured video feed for intrinsic evidence of life. The system examines a range of indicators, including texture, depth, and the "live-skin" signal, to make a determination in seconds.

Feature	Active Liveness Detection	Passive Liveness Detection
User Action	Required (e.g., blink, smile, turn head)	Not required; analysis is transparent
User Experience	High friction, potential for user drop-off	Low friction, seamless and fast
Primary Method	Challenge-response (e.g., "Blink now")	Algorithmic analysis of intrinsic biometric properties
Key Technologies	Motion tracking, 3D depth analysis	Texture analysis, color distortion, reflection, rPPG
Vulnerabilities	Can be vulnerable to video replays or advanced masks	Highly resistant to 2D print and screen attacks

Industry applications of presentation attack detection

Robust PAD is a foundational requirement for security and compliance in the financial sector. Its applications extend across the customer lifecycle.

Ekyc and remote customer onboarding

Electronic Know Your Customer (eKYC) regulations require banks to perform high-assurance identity verification for all new customers. Passive liveness detection allows institutions to meet these compliance mandates without creating a frustrating onboarding experience. By confidently rejecting photo and video spoofs, banks can prevent fraudsters from opening accounts with stolen or synthetic identities.

Securing high-value transactions

When a customer initiates a large wire transfer or requests a change to their account details, the bank needs to be sure it's the legitimate account holder. A step-up authentication challenge using a facial scan with passive liveness ensures that a fraudster who has compromised a user's password cannot complete the high-risk action.

Regulatory compliance and auditing

Financial regulators globally are issuing stricter guidance on remote identity proofing. Standards like NIST SP 800-63A in the United States and frameworks from the EBA in Europe emphasize the need for effective PAD. Deploying technology that is independently tested and certified against standards like ISO/IEC 30107-3 provides banks with auditable proof that their security measures are effective.

Current research and evidence

The technology underpinning passive liveness detection is grounded in extensive academic and commercial research. One of the most promising areas is the analysis of the "live-skin" signal using a technique called remote photoplethysmography (rPPG).

• Remote Photoplethysmography (rPPG): This technique uses a standard optical camera to detect subtle changes in light reflection from the skin. These changes are caused by the flow of blood through subcutaneous capillaries and correspond to the subject's pulse. Since a printed photo or a digital screen does not have a pulse, rPPG provides a powerful signal for detecting a live human. Research by academics including Guoying Zhao at the University of Oulu (2017) demonstrated that combining rPPG with other methods like texture analysis is highly effective at thwarting presentation attacks.

• Texture and Reflection Analysis: A camera captures more than just the shape of a face. It captures the way light interacts with a surface. Real human skin has a unique, non-uniform texture and subsurface scattering properties. A printed photo is a flat, 2D object with a uniform surface, and a digital screen emits its own light, creating Moiré patterns and reflections that are not present in a real-world scene. Advanced AI models are trained to spot these tell-tale signs of a presentation attack.

• Standardized Testing: To provide a common benchmark for performance, organizations like the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO) have developed rigorous testing protocols. The ISO/IEC 30107-3 standard defines the framework for PAD testing, allowing vendors to certify their systems' effectiveness against a known set of attack vectors.

The future of presentation attack detection

The battle against identity fraud is a constant arms race. As generative AI makes it easier to create realistic deepfakes and digital avatars, liveness detection technology must evolve. The future of the field lies in multi-modal analysis, combining facial liveness with other signals like voice or behavioral biometrics. Furthermore, the emphasis will continue to be on passive, frictionless systems that can provide high security without inconveniencing legitimate customers. For CISO teams and identity platform providers, selecting a PAD solution that is Effective today. Has a roadmap for addressing future threats is a critical strategic decision.

Frequently asked questions

Q: What is the main difference between a presentation attack and a deepfake? A: A presentation attack involves presenting a physical or digital artifact (like a photo or video) to a camera. A deepfake is a synthetically generated video or image created with AI that may be used in a presentation attack or an injection attack at the API level.

Q: Can a high-quality printed photo fool a bank's liveness detection? A: It is highly unlikely. Modern passive liveness systems are specifically designed to detect the textural and reflective properties of paper and digital screens, which differ fundamentally from live human skin. They also analyze for signs of life, like the micro-movements and blood flow that a static photo lacks.

Q: What is passive liveness detection? A: Passive liveness detection is a method of verifying that a user is a live, present person without requiring them to perform any specific actions. It analyzes the video stream from the camera for natural signs of life, making the process seamless and frictionless for the user.

As a leader in remote identity verification, Circadify is at the forefront of developing and deploying next-generation passive liveness detection to help enterprises and government agencies defeat fraud. To learn more about integrating a certified, frictionless PAD solution into your platform, see our integration guide at circadify.com/solutions/fraud-detection.