Face ValueBio Auth · Eval
PAD In Action

Presentation Attack Detection

The attacks go after the sensor, not the matcher. Telling a live face from a photo of one is a different problem from telling two faces apart.

Honest limit:Active-liveness (EAR + yaw challenge) stops a static photo. It does not stop a high-quality deepfake video. Stopping video injection requires signed-capture integrity at the sensor. These are separate problems.

Spot the attack

loading…
Genuine
LIVE SIGNAL
Eye Aspect Ratio
0.350 ← open
Head yaw
· 0°
L·R
Active challenge
Blink detected
Head turn registered
Motion continuous

A live face in front of the camera. Active-liveness challenge satisfied — blink + head turn. EAR dips on blink; head yaw registers motion.

APCER / BPCER — liveness metrics

Eval findings on this corpus: PAD baseline AUC 0.47 — no usable signal on synthetic data. PAD VLM results cover obvious simulated attacks only — a floor, not a real-world number.
APCER
Attack Presentation Classification Error Rate

Fraction of spoof attempts wrongly accepted as live. Analogous to FAR in matching but for the liveness layer. A photo that passes = APCER error.

BPCER
Bona Fide Presentation Classification Error Rate

Fraction of genuine live users wrongly rejected as spoofs. A real person failing the blink challenge = BPCER error. Analogous to FRR in matching.

Attack taxonomy

L1
Print attackEasy

Static printed photo. Stopped by active-liveness (EAR + yaw challenge).

L2
Screen replayModerate

Video played on screen. Moiré artefacts visible. Stopped by texture analysis.

L3
3D maskHard

Silicone or rigid mask. Requires depth sensors or near-infrared to catch reliably.

L4
Deepfake injectionVery hard

Synthetic video injected directly into the video stream. Requires signed-capture integrity at the sensor.