iProov tech earns top rating for injection attack defence

iProov has received a top-tier independent assessment for its facial biometric liveness product, following testing against European and laboratory benchmarks for injection attack detection.

Its Dynamic Liveness technology is the first product to pass an Ingenium Level 4 evaluation and meet the CEN/TS 18099 "High" technical specification for injection attack detection. Ingenium Biometric Labouratories conducted the assessment. The lab holds ISO/IEC 17025 accreditation, which sets requirements for the competence of testing laboratories.

Testing benchmark

CEN/TS 18099 is an industry technical specification for injection attack detection in biometric systems. It is designed to give buyers a consistent way to compare how products perform under common testing conditions. Injection attacks can involve feeding synthetic or replayed biometric signals into a system, rather than presenting a real face to a camera.

Ingenium Level 4 builds on the CEN/TS 18099 requirements by adding a longer test period and more complex attack types. The evaluation ran for 40 days and included attempts to establish a successful injection attack method.

Ingenium did not establish any successful injection attack method during the assessment, and Dynamic Liveness blocked all attempts. iProov reported a Bona Fide Presentation Classification Error Rate of 1.3% in the testing, which measures how often genuine users are incorrectly rejected by a liveness check.

Deepfake pressure

Demand for stronger liveness checks has increased as generative AI makes it easier to create realistic synthetic face content. Organisations in financial services, government services and online platforms report greater exposure to identity fraud. Attackers have also adopted methods that bypass traditional presentation checks by injecting content into a device or software feed.

Standards-based testing has become a growing focus for procurement teams and regulators. Vendors often cite independent evaluations, but many rely on proprietary methods that do not align across suppliers, making consistent comparisons difficult.

Andrew Bud, iProov's founder and CEO, presented the results as a response to that problem.

"In the age of deepfakes, biometric security must be proven, not promised," said Andrew Bud, Founder and CEO, iProov.

"CEN/TS 18099 is the first true benchmark for injection attack detection, a requirement now included in NIST 800-63-4. Achieving Ingenium Level 4 through accredited testing sets iProov apart as the highest-assurance facial biometric provider independently validated today," said Bud.

Regulatory alignment

iProov linked the assessment to the direction of travel in digital identity guidance, citing NIST 800-63-4, the latest version of the US digital identity guidelines, which includes injection attack detection as a requirement in relevant contexts.

It also pointed to its FIDO Face Verification Certification. FIDO certifications are used in parts of the authentication market to indicate conformance with defined security and interoperability requirements. iProov said the combined results provide an audit trail that can be used in highly regulated environments.

The company cited frameworks including the UK National Cyber Plan and the European Union's EUDI Wallet initiatives as areas where organisations are seeking stronger identity assurance. It also said its product conforms to Web Content Accessibility Guidelines 2.2 Level AA, including Section 508, which is used in the US public sector.

Market context

Facial biometrics are central to remote onboarding and account recovery for many services, and are also used for authentication in mobile banking apps and government portals. This adoption has attracted attackers because biometric signals can be difficult to change if compromised, and because remote verification often relies on consumer-grade devices.

Injection attacks sit alongside more familiar presentation attacks such as masks, printed photos and replayed videos. Industry attention has shifted toward injection methods as attackers combine deepfake tools with remote access and device compromise, making tests that stress software-level attack paths more relevant.

iProov is headquartered in the UK and sells biometric verification and liveness detection services. It lists public sector and financial services customers including the US Department of Homeland Security, the UK Home Office, GovTech Singapore, ING and UBS.

Bud said iProov views CEN/TS 18099 as a new reference point for buyers assessing injection attack detection performance.