Biometric systems — face recognition at a border gate, fingerprint verification at a bank, iris scanning at an eGate — are increasingly embedded in everyday life. And wherever a biometric system stands guard, someone will try to fool it. Presentation attacks are attempts to subvert biometric recognition by presenting a fraudulent biometric sample to the sensor.
Two types of attacker
Biometric attackers generally fall into one of two categories. The impostor wants to gain access by impersonating someone else — either by finding a look-alike or by presenting an artefact such as a printed photograph, a video on a smartphone screen, or a silicone mask crafted to resemble a target. The concealer, by contrast, wants to avoid being recognised — for example, a suspect on a watchlist who tilts their head, wears IR-blocking glasses, or uses heavy makeup to evade face detection.
The range of presentation attack instruments has grown dramatically with the availability of consumer technology. Print attacks hold a printed photograph in front of a camera. Replay attacks use a high-resolution screen displaying a video of the target. 3D mask attacks use a crafted prosthetic face. More recently, digital injection attacks — bypassing the camera entirely and injecting a synthetic video stream directly into the processing pipeline — have emerged as a new threat category that PAD alone cannot address.
How PAD works
PAD algorithms analyse a captured biometric sample for evidence that it is not a genuine live specimen. Texture analysis detects the flat, moiré-patterned surface of a printed photo. Liveness detection looks for involuntary micro-movements — the subtle motion of breathing, blinking, or pulse — that cannot easily be replicated by a static artefact. Depth sensing using structured light or time-of-flight cameras distinguishes a flat screen from a three-dimensional face. Modern PAD systems combine multiple cues, often using deep neural networks trained on large datasets of genuine and attack samples.
The standardisation landscape
PAD is now a mature research area with international standards. ISO/IEC 30107-3 defines the testing methodology for PAD systems. The Attack Presentation Classification Error Rate (APCER) measures the proportion of attacks classified as genuine, and the Bona Fide Presentation Classification Error Rate (BPCER) measures the proportion of genuine samples rejected. Independent evaluation programmes such as those run by NIST provide a common benchmark across research groups and vendors.
The EINSTEIN project is advancing PAD across multiple application scenarios — from self-service EES kiosks to walk-through biometric corridors — developing algorithms that are both highly accurate and computationally efficient enough for real-world deployment.
© 2026 EINSTEIN Consortium. EINSTEIN is funded by the European Union’s Horizon Europe programme (GA No. 101121280) and by UKRI (IFS 10093453). Views expressed are those of the authors only. www.einstein-horizon.eu