What Are Liveness Checks?

Liveness checks are security measures that verify a person's physical presence during a digital identity interaction, rather than relying on a photo, video recording, or other techniques that are prone to spoofing. These checks are commonly used in remote identity proofing and some remote onboarding flows to mitigate presentation attacks during biometric capture.

The spoofing threat

When identity verification occurs remotely, such as provisioning an mDL without visiting the DMV, opening a bank account online, or accessing services through a web portal, the system can't rely on a human examiner to confirm the applicant is actually present.

Without liveness detection, an attacker could hold up a photo of someone else's face or play a video of the legitimate person. If the system simply compares an image to a reference photo, these attacks can succeed. The verification appears to pass, but the wrong person gains access.

As generative AI continues to improve, these threats intensify. Deepfake videos can simulate realistic facial movements. Synthetic images can pass basic photo checks. Traditional document-based verification is increasingly vulnerable to fabricated credentials. Liveness detection provides a defense layer that static image comparison cannot.

How liveness checks work

Liveness detection systems use various techniques to confirm physical presence:

Active liveness requires the user to perform specific actions, such as turning their head left, blinking, smiling, or following a moving object on the screen. These challenges are complex for static images or pre-recorded videos to satisfy because they require real-time responses to unpredictable prompts.

Passive liveness analyzes subtle characteristics that distinguish live faces from reproductions of them. This might include analyzing skin texture, detecting the natural micro-movements present in live video, examining how light reflects off skin differently than off paper or screens, or identifying depth information that flat images lack.

3D depth analysis utilizes the device's sensors to verify the three-dimensional presence. A photo or flat screen appears two-dimensional, while a real face has depth and contour that cameras can detect through various means, including structured light or time-of-flight sensors.

Challenge-response methods prompt users to follow randomized on-screen instructions, ensuring that responses are generated in real-time rather than being pre-recorded. The unpredictability of challenges makes it difficult for attackers to prepare spoofing materials in advance.

Liveness in credential issuance

During remote mDL provisioning, liveness checks help confirm that the person requesting the credential is actually present and is the same person whose identity documents are being presented. The system captures a selfie with liveness verification, then compares it to the reference photo on file with the DMV.

This combination, which includes liveness detection to confirm presence and facial matching to confirm identity, enables secure remote issuance without requiring an in-person visit to the DMV. The layered approach provides confidence that the credential goes to the right person.

Privacy and data retention

Liveness checks capture biometric data, typically in the form of video or images of the applicant's face. Best practices recommend minimizing the retention of this data. The selfie captured during verification can be automatically discarded after the check completes, leaving only the original reference image from the issuer's database.

This approach achieves the security benefit of liveness verification without creating new stores of biometric data that could be compromised. The DMV can confirm the applicant is present and matches their records, then discard the verification artifacts.

Standards and accuracy

Standards bodies and government programs are developing guidance and evaluation approaches for presentation-attack detection and liveness techniques, with ongoing work to improve accuracy and inclusivity. The goal is to ensure these checks work reliably across diverse populations and device types while remaining resistant to increasingly sophisticated spoofing attempts.