Preventing Deepfakes and Injection Attacks in Face Verification
How fraudsters attack face verification systems — presentation attacks, deepfakes, and camera injection — and the layered defenses that stop them.
The Attack Surface of a Selfie
Face verification has become the front door of digital identity — which makes it the front door fraudsters attack. Understanding the attack taxonomy is the first step to defending your KYC flow or face login, because different attacks require different defenses.
There are two fundamentally different places to attack a face verification system:
Presentation Attacks: Photos, Screens, and Masks
Presentation attacks show the camera something that isn't a live face:
These are cheap, require no technical skill, and defeat naive face matching completely — a photo of you is your face, as far as an embedding model is concerned. Matching accuracy and similarity thresholds are irrelevant here; you need presentation attack detection (PAD), better known as liveness detection.
Our active vs. passive comparison covers when each fits. For most flows, passive liveness on every capture plus active liveness on high-risk events (onboarding, payment limits changes, account recovery) is the right layering.
Deepfakes: The Replay Attack, Upgraded
Generative models changed the economics of face fraud. Off-the-shelf tools now produce:
A real-time face swap can defeat naive active liveness: the attacker performs the head movements, and the deepfake renders the victim's face performing them. Defending requires looking for generation artifacts — temporal flicker, boundary blending, physically inconsistent lighting, missing micro-texture — signals modern liveness models are specifically trained on.
The industry response is measurable: financial-sector fraud reports across Southeast Asia show deepfake-enabled fraud attempts growing multiples year over year, which is why regulators in the region increasingly expect liveness detection in KYC.
Injection Attacks: Bypassing the Camera Entirely
The most technically sophisticated attacks never show anything to a camera:
Defenses live at a different layer than PAD:
Defense in Depth: The Reference Stack
No single control stops all three attack classes. A production-grade verification flow layers:
How ARSA Implements This
The ARSA Face Recognition API ships the biometric layers of this stack: passive liveness detection on single images, active liveness with server-generated head-pose challenges and video verification, and a combined submit-and-recognize endpoint that runs the liveness check and identity match in one call. All processing happens server-side; per-key rate limits and full request logging are built in — see our security overview.
Fraud techniques will keep improving. The teams that stay ahead treat face verification not as a feature checkbox but as an adversarial system needing layered, updatable defenses. Test the liveness endpoints free against your own spoof attempts — a photo of your own screen is a surprisingly effective first red-team exercise.