Every passport embodies a fundamental security principle: one person, one document. The International Civil Aviation Organisation (ICAO) calls this the unique link — the machine-verifiable biometric feature that binds a travel document to its legitimate holder. Face morphing attacks are designed to break that link.
What is a morphing attack?
A morphing attack creates a single facial image that has been computationally blended from the faces of two different individuals. When this morphed image is used as the passport photo, the resulting document can be successfully verified against both contributors. The criminal uses the document to cross borders. The accomplice has plausible deniability.
Early morphing techniques were landmark-based: detecting facial feature points on both images and warping and blending them together in pixel space. Modern methods are considerably more sophisticated. GAN-based morphing uses generative adversarial networks to synthesise a new face in the latent space of the model. Diffusion-based methods use text-to-image models conditioned on facial identity to produce photorealistic composites with few visible artefacts.
Detection approaches
Morphing attack detection falls into two categories. Single-image MAD (S-MAD) examines a suspected document image in isolation, looking for artefacts or inconsistencies. Differential MAD (D-MAD) compares the suspected document image against a trusted live capture of the applicant — a far more powerful approach. Multiple detection algorithms, each with different strengths across different morphing techniques, can be fused to improve overall robustness.
Can humans detect morphs?
Research involving over 570 participants — including border guards, document examiners, ID experts, and face comparison specialists — has shown that human detection of morphing attacks is surprisingly poor. Average accuracy for differential MAD tasks was around 64.7% for border guards and 72.6% for face comparison experts. Automated systems significantly outperform human observers, making the case for AI-assisted detection compelling.
The EINSTEIN project is developing and evaluating morphing attack detection (MAD) algorithms across a range of morphing techniques, contributing to the broader evaluation methodologies reflected in ISO/IEC 20059, the international standard for testing and comparing the resistance of biometric systems to morphing attacks.
© 2026 EINSTEIN Consortium. EINSTEIN is funded by the European Union’s Horizon Europe programme (GA No. 101121280) and by UKRI (IFS 10093453). Views expressed are those of the authors only. www.einstein-horizon.eu