How to Evaluate Liveness Detection Vendors: Buyer Checklist
A comprehensive checklist for CISOs and identity platform providers to assess liveness detection vendors, focusing on security, compliance, and user experience.
Selecting a liveness detection vendor is a critical security decision for any enterprise. As digital identity verification becomes the primary entry point for customers, employees, and citizens, the ability to distinguish a real, live human from a digital or physical spoof is critical. For CISO teams, identity platform providers, and government agencies, the procurement process demands a structured, evidence-based approach. This article provides a comprehensive way to evaluate liveness detection vendors with a checklist designed to verify claims, assess true performance, and ensure alignment with enterprise security and user experience requirements.
"The global face liveness detection software market was valued at USD 2.2 billion in 2024 and is projected to grow at a Compound Annual Growth Rate (CAGR) of up to 19.7% through 2033, driven by the increasing need for secure biometric authentication and advanced fraud prevention."
How to evaluate liveness detection vendors: a ciso's checklist
A robust evaluation process goes beyond a vendor's marketing claims. It requires a detailed examination of their technology's security posture, performance metrics, and architectural fit. Use this checklist as a framework for your due diligence.
-
Presentation Attack Detection (PAD) Compliance: The single most important factor is a vendor's certified performance against presentation attacks. Your evaluation must center on their adherence to established standards. Does the vendor have third-party testing results for ISO/IEC 30107-3? This standard is the international benchmark for determining a system's ability to defend against spoofs like printed photos, screen replays, and 3D masks.
-
Independent Third-Party Testing: Do not rely on self-reported metrics. Demand to see reports from accredited, independent labs. The National Institute of Standards and Technology (NIST) and its accredited laboratories, like iBeta, provide the most respected testing programs. Specifically, ask for a vendor's results from iBeta PAD Level 1 and Level 2 testing. Level 1 covers basic spoof attempts (photos, videos), while Level 2 addresses more sophisticated attacks.
-
Key Performance Metrics: Understand the vendor's performance on two critical metrics:
-
Attack Presentation Classification Error Rate (APCER): This measures the percentage of spoof attempts that successfully fool the system. An ideal APCER is 0%.
-
Bona Fide Presentation Classification Error Rate (BPCER): This measures the percentage of legitimate users that the system incorrectly flags as spoofs, which directly impacts user friction. A lower BPCER is better. According to iBeta's Level 1 conformance, a BPCER of no more than 15% is required for certification.
-
Integration and Architecture: How will the solution fit into your existing technology stack? Evaluate the vendor's SDKs (iOS, Android, Web) for ease of integration, documentation quality, and flexibility. Is the solution offered as a cloud service, an on-premise deployment, or a hybrid model? Understand the data flows and ensure they align with your organization's data residency and privacy requirements.
-
User Experience (Passive vs. Active): The method used to determine liveness has a profound impact on user onboarding and conversion rates. Passive liveness, which requires no specific user action, offers a frictionless experience. Active liveness, which requires users to perform gestures like blinking or turning their head, adds friction that can lead to user drop-off.
Passive vs. active liveness comparison
Choosing between passive and active liveness detection involves a trade-off between user experience and the specific security threats you aim to mitigate. The decision should be informed by your target user population and risk tolerance.
| Feature | Active Liveness Detection | Passive Liveness Detection |
|---|---|---|
| User Action | Requires user to perform an action (e.g., smile, turn head, blink). | No action required; verification happens from a selfie or brief video. |
| User Experience | Higher friction, can lead to drop-off, potential accessibility issues. | Seamless and frictionless, leading to higher completion rates. |
| Security Focus | Defends well against basic 2D presentation attacks (photos). | Designed to detect sophisticated spoofs, including deepfakes and masks. |
| Integration | Can be simpler to implement initially. | Requires more sophisticated backend analysis but offers a cleaner UI. |
| Typical BPCER | Can be higher due to user confusion or non-compliance with instructions. | Generally lower, as user error is minimized. |
Industry Applications
The need to evaluate liveness detection vendors is not uniform. Different industries face unique regulatory requirements and threat models.
Financial Services and eKYC
For banks and fintech companies, liveness detection is a core component of Electronic Know Your Customer (eKYC) and Anti-Money Laundering (AML) compliance. Regulators are increasingly scrutinizing the robustness of identity verification systems. A solution's performance in NIST and ISO-based testing is a key indicator of its suitability for high-stakes financial onboarding.
Government and public sector
Government agencies providing digital services, from state DMVs to federal benefits portals, must balance fraud prevention with equitable access. The evaluate liveness detection vendors checklist for this sector prioritizes accessibility and low BPCER to ensure all citizens can access services without undue friction, while still preventing large-scale fraud.
Platforms and trust & safety
For social media, gaming, and marketplace platforms, liveness detection helps ensure account integrity, prevent bot-driven manipulation, and enforce age verification requirements. The focus is often on passive, low-friction solutions that can be deployed at scale without disrupting the user experience.
Current research and evidence
The foundational research for evaluating liveness detection comes from standards bodies. NIST's ongoing Face Recognition Vendor Test (FRVT) for Presentation Attack Detection provides the industry with a crucial, unbiased benchmark. As Stephanie Schuckers, a leading researcher in biometric security at Clarkson University, has noted, standardized testing is essential for creating a "common language" for buyers and sellers to compare performance. The ISO/IEC 30107-3 standard, first published in 2017 and updated since, provides the framework that underpins commercial lab testing from organizations like iBeta. When evaluating vendors, CISOs should treat conformance to these standards not as a feature, but as a prerequisite.
The future of liveness detection
The field is evolving rapidly to counter emerging threats. The primary focus is on detecting increasingly realistic deepfakes and injection attacks. Future-proof vendors are heavily investing in AI and machine learning models that can analyze subtle cues imperceptible to humans, such as texture, light reflection, and micro-movements. The trend is decisively moving toward completely passive systems that offer robust security without any user-facing friction. Continuous authentication, where liveness is passively monitored throughout a user session rather than just at login, is also an emerging area of development.
Frequently asked questions
Q: What is the difference between active and passive liveness detection?
A: Active liveness detection requires users to perform a specific action, such as blinking or moving their head, to prove they are live. Passive liveness detection verifies a user is a real, live person from a standard selfie or short video, without requiring any special actions, providing a more seamless user experience.
Q: How important is ISO 30107-3 certification?
A: ISO/IEC 30107-3 is the globally recognized standard for Presentation Attack Detection testing. Certification from an accredited lab (like iBeta) to this standard is the most reliable way to verify a vendor's claims about their solution's ability to stop spoofing attacks. It is a critical item on any vendor evaluation checklist.
Q: What is a Presentation Attack Detection (PAD) test?
A: A PAD test, as defined by standards like ISO 30107-3 and conducted by labs like iBeta or in NIST's FRVT, systematically challenges a biometric system with a wide array of spoof attempts. These can include printed photos, high-resolution digital displays, video replays, and 3D masks to measure the system's resilience.
Q: How does liveness detection fit into a Zero Trust architecture?
A: In a Zero Trust model, identity is the new security perimeter, and every access request must be verified. Biometric liveness detection provides a strong, unphishable signal that the legitimate user is present at the time of the request, serving as a critical component in the "never trust, always verify" framework.
Choosing the right partner for liveness detection is fundamental to building a secure and user-friendly digital identity ecosystem. A thorough, standards-based evaluation process is the best way to ensure the vendor you select can protect your organization and your users from sophisticated identity fraud. Circadify is actively working to solve these challenges with next-generation passive liveness detection. To learn more about integrating a compliant and frictionless solution, see the Integration guide.