Use this checklist to ensure your liveness evaluation mirrors real-world attacks. It follows ISO/IEC 30107-3 terminology and Axon Labs’ practical taxonomy of physical PAIs
Include these attack families (with minimum variation)
- Printed: flat, cutouts, cylindrical wraps, 3D paper heads; ≥5 materials/finishes, multiple printers; vary distance/angles/lighting
- Screen replay: phone/tablet/laptop/monitor; ≥4 screen types × 3 brightness levels; front vs external camera. Example: Replay Attacks Dataset by Axon Labs
- Photo-on-actor: flat or wrapped; ≥5 actors; 2–3 fixation methods; with/without real accessories
- 3D masks: resin, latex, silicone, hyper-real; ≥2 manufacturers per subclass; wigs/glasses/beards; turning sequences. Example: iBeta Level 2 Dataset
- Textile/fabric masks: printed balaclavas; hood + glasses combos; ≥3 fabric types; indoor/outdoor; different motion levels
Image: Axon Labs physical face-attack taxonomy — printed, cutout, cylindrical, replay, photo-on-actor, resin/latex/silicone masks, textile masks
Diversity that keeps metrics honest
- Dataset scale: ≥1,000 attack videos total; for robustness, aim for ≥1,000 per PAI category
- People/devices/scenes: >100 participants; ≥3 cameras (2 phones + 1 laptop/external webcam); bright/dim/backlight; indoor & outdoor
- Capture & pose: 24/30/60 fps; low/med/high bitrate; 30–80 cm; yaw/pitch/roll; with & without glasses/facial hair/hood
- Metadata (required for every clip): PAI type/subclass, material/brand, printer/screen model & settings, distance, lighting, operator, date/series, outcome (success/fail)
Useful references: ISO/IEC 30107-3, FIDO Alliance biometric requirements, and iBeta PAD testing
Reporting that procurement can trust
- Publish APCER, BPCER, ACER, EER per class and per device
- Map to ISO/IEC 30107-3; explicitly show performance on unknown PAIs
iBeta PAD — how to operationalize it
- Understand the scope: formal lab evaluation at a defined operating point and test set; not a guarantee for unknown PAIs or non-physical threats
- Make it actionable: reproduce on target devices; extend with this checklist; report per-class APCER and overall ACER; verify threshold on held-out data; log latency/TPS on production hardware
- Avoid common mistakes: replay vs print confusion; low variability; too few matching genuine sessions