The biometric security industry has historically focused on a single threat category: presentation attacks. Someone holds up a printed photo, a screen, or a mask to a camera. The entire field of Presentation Attack Detection (PAD) was built around this threat model.

But the threat landscape has shifted. A second category — injection attacks — now represents a larger and more dangerous threat than presentation attacks. Many verification systems that achieve excellent PAD scores are completely blind to injection attacks.

Understanding both categories, their mechanics, and the required defenses is essential for anyone responsible for biometric security.

Presentation Attacks: The Known Threat

A presentation attack occurs when a physical artifact is presented to a genuine camera sensor. The camera captures what it sees, and the resulting image or video contains the artifact.

Common Presentation Attack Types

Printed photo — The simplest attack. A high-resolution photo printed on paper or a rigid surface. Detected by analyzing surface texture, the absence of depth cues, and paper/print-specific artifacts.

Screen replay — A digital photo or video displayed on a screen (phone, tablet, monitor). Detected by analyzing moiré patterns, screen pixel grid, refresh rate artifacts, and backlighting characteristics.

3D mask — A physical replica of the target's face, typically made from silicone, resin, or 3D-printed materials. More difficult to detect than 2D attacks because the mask has genuine 3D depth. Detected by analyzing material properties — silicone reflects light differently than skin.

Partial overlay — A mask or printed layer covering specific facial features while leaving others exposed. Designed to confuse facial recognition by blending real and fake elements.

Why PAD Detection Works Well

Presentation attacks have a fundamental limitation: the artifact exists in the physical world and must pass through a genuine camera sensor. This means the captured image contains physical evidence of the attack:

• Paper has texture that differs from skin
• Screens emit light rather than reflecting it
• Masks have material properties that differ from human tissue
• All physical artifacts produce reflections, shadows, and depth characteristics that differ from a real face

Modern PAD systems achieve 99%+ detection rates against presentation attacks because the physical evidence is reliably present in the captured data.

Injection Attacks: The Emerging Threat

An injection attack bypasses the camera entirely. Instead of presenting a physical artifact to a real camera, the attacker injects synthetic data directly into the verification pipeline. The system receives data that appears to come from a camera but was actually generated or manipulated by software.

How Injection Attacks Work

The attack chain typically follows this pattern:

1. Intercept the camera feed — Using a virtual camera driver, rooted device, or compromised SDK, the attacker gains the ability to substitute the camera data with arbitrary content
2. Generate or prepare synthetic content — A deepfake video, AI-generated face, or pre-recorded clip is prepared
3. Inject into the pipeline — The synthetic content is fed into the verification system as if it were coming from the device's physical camera
4. Spoof metadata — Camera metadata (device model, resolution, frame rate) is spoofed to match what the verification system expects

Why PAD Cannot Detect Injection Attacks

This is the critical insight: PAD analyzes the content of the captured image for physical evidence of presentation artifacts. An injection attack produces an image that was never captured by a camera — it was generated by software.

The injected image can be a perfect photograph of a real face. It contains no screen pixels, no paper texture, no mask artifacts, no moiré patterns. It is indistinguishable from a genuine camera capture because it was designed to be indistinguishable from a genuine camera capture.

A verification system with perfect PAD scores will fail completely against injection attacks if it lacks injection detection.

Types of Injection Attacks

Virtual camera injection — The most common method. A virtual camera driver (such as OBS Virtual Camera or ManyCam) intercepts the camera API call and substitutes a synthetic feed. The application believes it is reading from a physical camera.

Rooted/jailbroken device manipulation — On a compromised device, the attacker can modify the camera driver at the OS level, intercepting and replacing the data before it reaches any application.

SDK tampering — If the verification SDK can be decompiled and modified, the attacker can alter it to accept injected data instead of camera data.

API-level injection — For server-side verification APIs that accept image uploads, the attacker simply uploads a synthetic image. No camera is involved at any point.

Man-in-the-middle — The attacker intercepts the data stream between the camera and the verification server, replacing genuine captures with synthetic content in transit.

Detection Strategies

Presentation Attack Detection (PAD)

Effective against physical artifacts presented to real cameras:

• Texture analysis — Detect print, screen, and mask material properties
• Depth analysis — Verify 3D face topology consistent with a real face
• Reflection analysis — Detect lighting inconsistencies characteristic of flat surfaces
• Temporal analysis — Analyze motion patterns over multiple frames

Injection Attack Detection (IAD)

Effective against synthetic data injected into the pipeline:

• Device integrity verification — Confirm the device is not rooted, jailbroken, or emulated
• Camera validation — Verify data is coming from a physical camera sensor, not a virtual camera
• SDK integrity — Detect tampering with the verification SDK
• Metadata consistency — Verify that camera metadata matches expected characteristics for the reported device
• Pipeline monitoring — Detect anomalies in the data pipeline between capture and processing
• Statistical fingerprinting — Detect the mathematical signatures of AI-generated or screen-captured content

Why You Need Both

The mistake many organizations make is implementing PAD without IAD, or vice versa. Both are necessary:

• PAD without IAD catches the amateur attacker who holds up a photo but misses the sophisticated attacker who injects a deepfake
• IAD without PAD catches the injection but misses the simple screen replay
• PAD + IAD together create layered defense that addresses both threat categories

How deepidv Implements Dual Defense

deepidv's biometric security combines both PAD and IAD in a single verification flow:

• Passive multi-signal PAD evaluates texture, depth, reflection, and statistical signals from the captured image
• Active IAD monitors device integrity, camera authenticity, SDK integrity, and pipeline consistency
• Combined scoring aggregates PAD and IAD signals into a unified liveness decision
• Independent operation — PAD and IAD run in parallel, ensuring that neither can be bypassed by compromising the other

The result is a defense that covers both the physical and digital attack surfaces — the full spectrum of modern biometric threats.