Presentation Attack Detection is the automated determination of whether a biometric sample captured by a sensor originates from a live, present human or from a spoofing artifact such as a printed photo, video replay, silicone mask, or voice recording. Unlike deepfake detection, which analyzes pre-recorded media, PAD operates at the point of capture, analyzing physical and physiological characteristics like skin texture, micro-movements, and light reflection in real time to thwart impersonation attempts before authentication occurs.
Glossary
Presentation Attack Detection

What is Presentation Attack Detection?
Presentation Attack Detection (PAD) is the standardized framework for detecting biometric spoofing attempts at the sensor level, where an artifact is physically presented to a camera or microphone to impersonate a legitimate user.
The ISO/IEC 30107 standard defines PAD through two key metrics: Attack Presentation Classification Error Rate (APCER) and Bona Fide Presentation Classification Error Rate (BPCER). Modern systems employ sensor-level liveness detection techniques including photoplethysmography for blood flow analysis, challenge-response mechanisms requiring eye blinking or head rotation, and multi-spectral imaging to distinguish living tissue from synthetic materials, ensuring robust defense against both 2D and 3D presentation attacks.
Key Characteristics of PAD Systems
Presentation Attack Detection (PAD) systems are defined by their ability to distinguish between a live human and a spoofing artifact at the point of capture. These characteristics define the technical rigor required for ISO/IEC 30107 compliance.
Artifact vs. Liveness Dichotomy
The core logic of PAD is a binary classification between a bona fide presentation and a presentation attack instrument (PAI) . A PAI is any artifact—such as a printed photo, a digital video replay, a silicone mask, or a voice recording—used to subvert a biometric sensor. The system must analyze the physical characteristics of the presented object, not just the biometric match score, to determine if it possesses the inherent properties of living tissue or a natural voice.
Active vs. Passive Detection
PAD methods are broadly categorized by the level of user cooperation required:
- Active PAD: Requires the user to perform a specific action, such as blinking, smiling, turning the head, or speaking a random phrase. This challenges the attacker's ability to dynamically manipulate the artifact in real-time.
- Passive PAD: Operates transparently without user cooperation by analyzing intrinsic data from a single frame or short video clip, such as micro-textures, color distortion, or sensor noise patterns. Passive methods are preferred for frictionless user experience.
Sensor-Level Analysis
PAD is fundamentally a sensor-level defense, distinct from host-level anomaly detection. It operates on the raw data stream from the capture device before biometric feature extraction occurs. For cameras, this involves analyzing the Color Filter Array (CFA) interpolation patterns and Photo Response Non-Uniformity (PRNU) noise. For microphones, it examines pop noise and channel distortion characteristics that differ between live speech and replayed audio.
Multi-Modal Fusion for Robustness
Advanced PAD systems fuse multiple detection channels to increase resistance to sophisticated spoofing. A common architecture combines:
- Spatial texture analysis (detecting print artifacts or mask edges)
- Temporal motion analysis (detecting unnatural optical flow or screen moiré patterns)
- Spectral reflectance analysis (distinguishing skin from silicone or latex in near-infrared bands) This fusion ensures that an attacker must simultaneously defeat all modalities to succeed.
Generalization to Unknown Attacks
A critical performance indicator is the system's ability to detect unknown presentation attack instruments not seen during training. This requires the model to learn a generalized representation of 'liveness' rather than memorizing artifacts of known materials. Techniques like one-class classification and anomaly detection are employed, where the model tightly bounds the feature space of bona fide presentations and flags any significant deviation as an attack, regardless of the specific PAI species.
Frequently Asked Questions
Clear, technically precise answers to the most common questions about detecting biometric spoofing attempts at the sensor level.
Presentation Attack Detection (PAD) is the automated determination of a biometric capture subject's liveness by distinguishing between a live human presenter and a spoofing artifact presented to the sensor. PAD mechanisms operate by analyzing intrinsic physiological signals, involuntary micro-movements, or challenge-response interactions that are difficult for artifacts to replicate. The ISO/IEC 30107 standard defines two primary methodologies: Presentation Attack Instrument (PAI) detection, which identifies the artifact itself (e.g., detecting a paper texture or screen moiré pattern), and liveness detection, which confirms the presence of a living human through signals like eye blinking, pulse-induced skin color variations, or muscle micro-contractions. Modern implementations fuse multiple modalities—such as depth sensing, near-infrared reflectance, and temporal texture analysis—to achieve robust defense against both 2D (print, replay) and 3D (mask, sculpture) attacks.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Presentation Attack Detection is a critical component of a broader biometric security and synthetic media forensics landscape. These related concepts define the attack vectors, countermeasures, and analytical techniques that form the foundation of modern anti-spoofing systems.
Liveness Detection
The overarching biometric security discipline that Presentation Attack Detection operationalizes at the sensor level. Liveness detection distinguishes between a live human presenter and a spoofing artifact—such as a printed photo, digital video replay, or three-dimensional mask—during an authentication attempt.
- Active liveness: Requires user interaction, such as blinking, smiling, or following a random head-movement challenge.
- Passive liveness: Analyzes intrinsic image properties (micro-textures, skin reflectance) without user cooperation, making it harder for attackers to anticipate.
- ISO/IEC 30107-3 defines the evaluation framework, measuring the Attack Presentation Classification Error Rate (APCER) and Bona Fide Presentation Classification Error Rate (BPCER).
Photoplethysmography (PPG) Analysis
A passive liveness detection method that extracts subtle skin color variations caused by cardiac blood flow from standard video. Because living human skin exhibits a periodic chromatic change synchronized with the heartbeat, this physiological signal is extremely difficult for silicone masks or video replays to replicate.
- The signal is typically extracted from the Region of Interest (ROI) on the face, isolating the hemoglobin absorption spectrum.
- Remote PPG (rPPG) performs this analysis without physical contact, using ambient light and a standard RGB camera.
- Attackers attempting to spoof PPG must model and reproduce a realistic cardiac waveform, a significantly higher barrier than static texture replication.
3D Morphable Model Fitting
A forensic technique that fits a parametric three-dimensional face model to a two-dimensional image captured by the sensor. By estimating the shape, texture, and illumination parameters required to reconstruct the face, the system can detect inconsistencies that indicate a planar (2D) spoof.
- A printed photo or screen replay will produce a flat geometry with uniform depth, failing to match the natural curvature of a human head.
- Specular highlight mismatch is a key indicator: the reflection of light on a 3D mask's surface will differ from the Lambertian reflectance properties of living skin.
- This method is effective against both print attacks and rigid 3D mask attacks, though sophisticated silicone masks with realistic texture remain a challenge.
Micro-Expression Analysis
The automated detection of involuntary, fleeting facial muscle movements that last between 1/25th and 1/5th of a second. These expressions, governed by the Facial Action Coding System (FACS), are a byproduct of genuine emotional and cognitive processes and are notoriously difficult for synthetic face generation models or human impostors to replicate with natural temporal dynamics.
- A video replay attack presents pre-recorded expressions that lack the spontaneous, non-deterministic cadence of a live human.
- Static masks or printed photos exhibit zero micro-expression activity, providing a clear binary signal.
- The challenge lies in computational cost: high-frame-rate video and deep temporal models are required to capture these rapid action units.
Optical Flow Inconsistency
A video-based detection method that evaluates the coherence of motion vectors between consecutive frames. Genuine human faces exhibit smooth, physically constrained motion patterns. In contrast, synthetically generated or replayed faces often introduce artifacts in the optical flow field.
- Frame-by-frame deepfake insertion creates unnatural jitter or non-physical movement at the boundary between the synthesized face and the background.
- Video replay attacks displayed on a screen introduce Moiré patterns and pixel-grid artifacts that manifest as structured noise in the motion field.
- Calculating dense optical flow using algorithms like Farnebäck or RAFT provides a pixel-level map of motion inconsistencies for a downstream classifier.
Sensor Pattern Noise
The deterministic high-frequency noise component unique to every camera sensor, caused by microscopic manufacturing imperfections in the silicon wafer. This noise acts as a robust, unforgeable biometric for the sensor itself.
- In a presentation attack, the attacker's spoofing medium (e.g., a printed photo or LCD screen) introduces its own sensor noise or lacks the Photo Response Non-Uniformity (PRNU) pattern of the authenticating device's camera.
- A sudden absence or mismatch of the expected PRNU pattern in a captured frame is a strong indicator that an intermediate surface is present between the subject and the sensor.
- This technique is highly effective against replay attacks but less so against 3D masks, which are captured directly by the authentic sensor.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us