Presentation Attack Detection: 9 Spoof Types Explained
Discover the 9 most common presentation attack types, from physical masks to deepfake screen replays, and learn how detection algorithms identify biometric spoofing.

The enterprise perimeter has shifted from network firewalls to human faces. As organizations rapidly adopt biometric security to verify users remotely, threat actors have adapted their strategies, treating the device camera not as an insurmountable security barrier, but as a digital input waiting to be spoofed. The primary defense mechanism against these physical and synthetic bypass attempts is presentation attack detection (PAD), a mandatory capability in any modern identity architecture.
"The financial impact of facial identity fraud reached an estimated $16.9 billion in 2023, accelerating the critical requirement for presentation attack detection capable of mitigating both physical artifacts and sophisticated digital manipulations." , 2024 Digital Fraud Surge Analysis
Every time a user scans their face, the enterprise system must answer two distinct questions: "Is this the correct person?" (facial recognition) and "Is this a live human being?" (liveness detection). A presentation attack occurs when a fraudster presents a fabricated biometric artifact to the camera sensor to bypass the liveness check. Understanding the specific mechanics of these attacks is essential for CISO teams evaluating identity platform providers.
9 presentation attack spoof types explained
When evaluating the resilience of an identity verification flow, security teams must account for the nine primary attack vectors used by fraudsters to fake a face scan.
1. flat print attacks
When organizations first implement remote identity proofing, the initial threat vector they encounter is the flat print attack. An attacker simply holds a high-resolution photograph of the authorized user in front of the mobile or desktop camera. While this method requires virtually zero technical skill, it remains a threat to legacy authentication systems that only analyze 2D facial geometry. Modern detection algorithms identify these spoof attempts by analyzing the lack of three-dimensional depth and detecting the microscopic texture of the paper grain.
2. curved print attacks
To bypass primitive depth-sensing algorithms that flag flat surfaces, attackers evolved their methodology to the curved print attack. By bending the photograph around a cylindrical object or holding it with a natural curve, the attacker creates a false sense of spatial depth. While this can fool early-generation checks, enterprise-grade systems identify the spoof by mapping the rigid, unnatural geometry of the curve, which fails to match the complex topographical map of a genuine human face.
3. 2D Crop-Out Masks
A direct response to active liveness checks, the 2D crop-out mask involves a printed photograph where the eyes, and occasionally the mouth, are removed. The attacker holds this paper mask over their own face and performs the required actions, such as blinking, smiling, or turning their head, through the cutouts. Platforms that rely on the user to move to prove they are alive are highly vulnerable to this attack. Passive detection mechanisms neutralize this threat by analyzing the discontinuous texture boundaries between the biological skin of the eyes and the paper material of the mask.
4. static screen attacks
Rather than printing an image, fraudsters frequently present a digital photograph on a smartphone, tablet, or secondary monitor. Static screen attacks eliminate the paper texture variable but introduce new artifacts for presentation attack detection algorithms to identify. The most prominent is the Moiré pattern, an optical interference effect that occurs when the pixel grid of the attacker's display conflicts with the pixel grid of the scanning camera. Additionally, the unnatural light emission from the digital screen provides a distinct optical signature.
5. video replay attacks
Moving up the complexity scale, video replay attacks involve presenting a pre-recorded video of the target user to the camera sensor. Attackers often source these videos from social media or secretly record them during video calls. This method easily defeats basic movement-based liveness checks. Defending against video replays requires algorithms trained to detect screen bezels, playback artifacts, and the specific chromatic dispersion that occurs when a digital screen projects video files back into a camera lens.
6. Rigid 3D Masks (Plastic or Resin)
Fundamentally shifting the attack medium from 2D to 3D, attackers utilize 3D printing technology to manufacture rigid masks from plastic, resin, or plaster. These physical constructs accurately replicate the facial structure of the victim, completely bypassing stereoscopic depth checks. However, advanced systems counter rigid masks by analyzing skin reflectance. Human skin exhibits subsurface scattering, light penetrates the epidermis and scatters before reflecting back. Rigid plastics reflect light strictly off the surface, creating an artificial glare that algorithms can instantly flag.
7. Flexible 3D Masks (Silicone)
Representing one of the most sophisticated physical threats, flexible 3D masks made of silicone or latex can hyper-realistically mimic human skin. These masks move dynamically with the attacker's facial muscles, replicate skin pores, and even absorb light similarly to biological tissue. Detecting a highly crafted silicone mask requires analyzing micro-biological signals. Sophisticated passive liveness systems utilize remote photoplethysmography (rPPG) to detect the invisible, pulse-driven color variations in human skin caused by blood flow, a physiological signal that no synthetic mask can replicate.
8. mannequins and wax figures
Though less common in targeted consumer fraud, mannequins and high-fidelity wax heads are frequently deployed in automated, large-scale attacks or during rigorous security testing. They provide structural perfection but are entirely devoid of biological indicators. Modern biometric defenses easily categorize these as non-living artifacts by verifying the total absence of micro-expressions, pupillary response, and vascular activity.
9. deepfake screen projections
The rapid commercialization of generative artificial intelligence has introduced the deepfake screen projection. In this attack, a fraudster projects a synthetically generated, real-time avatar onto a screen held up to the camera. Unlike a static video replay, a real-time deepfake can react dynamically to the environment. Defeating this advanced spoof relies on detecting the physical boundaries of the screen itself, analyzing generative rendering artifacts, and identifying temporal inconsistencies in the digital projection.
Comparing spoof vulnerabilities
Different spoofing methods require varying levels of technical execution and pose different challenges to identity verification platforms.
| Spoof Type | Attack Medium | Execution Complexity | Detection Difficulty | Primary Countermeasure |
|---|---|---|---|---|
| Flat Print | High-resolution paper photo | Low | Low | Texture and edge analysis |
| Curved Print | Warped paper photo | Low | Low | 3D depth mapping |
| 2D Crop-Out | Paper mask with eye holes | Low | Moderate | Texture boundary analysis |
| Static Screen | Photo on digital display | Low | Moderate | Moiré pattern detection |
| Video Replay | Video on digital display | Moderate | Moderate | Glare and bezel detection |
| Rigid 3D Mask | 3D printed plastic/resin | High | Moderate | Subsurface scattering checks |
| Flexible 3D Mask | Hyper-realistic silicone | Very High | High | rPPG biological signal processing |
| Mannequin | Physical dummy or wax | Moderate | Low | Micro-expression analysis |
| Deepfake Screen | Real-time synthetic rendering | High | Very High | Synthetic artifact detection |
When analyzing a potential spoof, presentation attack detection platforms rely on a layered defensive model:
- Artifact Detection: Scanning the image frame for physical objects that do not belong in a natural verification session, such as screen bezels, paper edges, or fingers holding a device.
- Texture and Reflectance Analysis: Evaluating how light interacts with the subject to determine if the surface is biological skin, digital glass, paper, or synthetic polymer.
- Biological Signal Processing: Using advanced computer vision to detect micro-vascular changes and physiological processes that are completely absent in non-living materials.
Industry Applications
Financial services and banking
Electronic Know Your Customer (eKYC) regulations require financial institutions to establish absolute certainty of a user's identity during digital onboarding. Banks deploy presentation attack detection to ensure that stolen identity documents are not being paired with a printed photo or video replay to open fraudulent accounts.
Enterprise identity and zero-trust
As organizations implement Zero-Trust architectures, continuous identity verification has become critical. Security teams utilize passive liveness checks during high-risk authentication events, such as accessing secure cloud environments or authorizing large wire transfers, to confirm the employee at the keyboard is a live human and not a synthetic bypass.
Government and public sector
State and federal agencies digitizing citizen services must meet strict National Institute of Standards and Technology (NIST) guidelines. Implementing presentation attack detection allows government portals to issue digital IDs and disburse benefits securely, ensuring that hostile actors cannot use physical masks or deepfakes to claim public resources.
Current research and evidence
Academic and private sector research continuously refines the defensive parameters of biometric security. In a comprehensive study on face anti-spoofing, researchers Sebastien Marcel and his colleagues at the Idiap Research Institute (2020) categorized presentation attacks into a detailed taxonomy, separating physical instruments from digital display devices. Their findings demonstrated that as spoofing materials become more accessible, defensive platforms must move away from simple texture analysis toward multi-modal feature extraction.
Furthermore, a 2023 survey published by MDPI analyzing deep learning-based face anti-spoofing established that the proliferation of high-resolution OLED screens has significantly increased the difficulty of detecting screen replays. The researchers, led by Z. Yu (2023), concluded that combating these high-fidelity attacks requires neural networks specifically trained to identify localized Moiré patterns and the unnatural chromatic dispersion of digital pixels, validating the industry shift toward passive, signal-based liveness detection.
The future of presentation attack detection
The arms race between fraudsters and security platforms is entering a new phase. As generative AI enables the mass production of hyper-realistic digital spoofs, the next generation of presentation attack detection will rely entirely on invisible, biological verification. By moving away from active commands, which are easily defeated by 2D crop-out masks and real-time deepfakes, the industry is standardizing on passive liveness detection. This approach ensures that the burden of proof is handled mathematically by the system, assessing continuous human physiological signals without requiring the user to perform any actions.
Frequently asked questions
What is the difference between an injection attack and a presentation attack? A presentation attack involves showing a physical or digital artifact (like a mask or a screen) directly to the camera sensor. An injection attack bypasses the camera hardware entirely, injecting synthetic video data directly into the application's data stream.
Why do active liveness checks fail against 2D crop-out masks? Active liveness systems ask the user to prove they are alive by completing a task, such as blinking. An attacker wearing a 2D crop-out mask simply blinks their real eyes through the cut-out holes, fulfilling the system's requirements and successfully bypassing the security check.
Can presentation attack detection identify deepfakes? Yes, when a deepfake is displayed on a screen and presented to a camera, advanced detection algorithms can identify the physical screen bezels, Moiré interference patterns, and synthetic rendering artifacts that differ from natural human skin.
How does passive liveness improve the user experience? Passive liveness detection operates in the background, analyzing biological signals like blood flow (rPPG) and micro-expressions in milliseconds. This verifies the user's presence without requiring them to follow frustrating instructions, reducing onboarding abandonment rates.
Securing the enterprise verification funnel
Identity verification is only as secure as its resistance to physical and digital spoofing. As threat actors continue to weaponize high-resolution displays, silicone masks, and generative models, relying on basic facial recognition is no longer sufficient. Organizations must implement sophisticated, passive verification mechanisms that can seamlessly differentiate between biological skin and synthetic artifacts. For CISO teams evaluating their identity architecture, Circadify is addressing this space with advanced defensive capabilities. Explore the integration guide and capability overview at circadify.com/solutions/fraud-detection to secure your verification funnel.
