iBeta Level 1 PAD: 0% Attack Success Across 360 Attempts

A face match is only as trustworthy as the liveness check behind it. If an attacker can hold up a printed photo, replay a video, or wear a mask and pass, the biometric is theatre. Presentation Attack Detection (PAD) is the discipline of telling a real, present human from a spoof — and the way you prove a PAD system works is to have an independent lab attack it.

Didit did exactly that. Didit's biometric liveness passed iBeta Level 1 Presentation Attack Detection testing under ISO/IEC 30107-3, achieving a 0% attack success rate and 0% IAPAR across 360 attack attempts, tested by iBeta Quality Assurance — a NIST/NVLAP-accredited lab. This guide explains what PAD testing is, how iBeta runs it, and exactly what Didit's result means.

Key takeaways

• Didit passed iBeta Level 1 PAD testing under ISO/IEC 30107-3 — the international standard for biometric presentation attack detection.
• 0% attack success rate / 0% IAPAR across 360 attack attempts — every spoof attempt was correctly rejected.
• Tested by iBeta Quality Assurance, an accredited NIST/NVLAP testing lab (lab code 200962) — an independent third party, not a self-assessment.
• The result is Level 1. Didit reports Level 1 — it does not claim Level 2. The compliance letter is dated 2026-02-04, following testing from 2026-01-05.
• The certified system is the live one — Didit's biometric liveness, the same passive and active liveness modules you integrate.

What presentation attack detection is

A presentation attack is any attempt to defeat a biometric system by presenting a fake to the sensor — a printed photo, a screen replaying a video, a paper mask, a silicone mask, a cut-out. Presentation Attack Detection (PAD) is the system's ability to detect and reject those fakes while still accepting genuine, live users.

ISO/IEC 30107-3 is the international standard that defines how to test a PAD system objectively. Rather than letting a vendor describe its anti-spoofing in marketing language, the standard sets out a structured methodology: a defined set of attack types ("species"), a set of genuine subjects, and metrics that quantify how often attacks succeed and how often real users are wrongly rejected. The headline metric for the attacker's side is IAPAR — the Impostor Attack Presentation Accept Rate, the proportion of attack presentations that the system wrongly accepts. Lower is better; 0% means no attack got through.

How iBeta runs the test

iBeta Quality Assurance is one of the labs that conducts ISO/IEC 30107-3 PAD evaluations, and it is accredited by NIST/NVLAP (testing lab code 200962) — meaning a national accreditation program has verified the lab's competence to run these tests. That accreditation is what makes the result credible: the attacks are designed and executed by an independent expert lab, not by the vendor.

For Didit's evaluation, the test was structured as:

• 6 enrolled subjects, each completing 5 successful genuine authentications, to establish that real users pass.
• 6 species of presentation attack, each attempted 10 times per subject — producing 360 total attack attempts (6 species × 10 attempts × 6 subjects).
• The tested system was Didit Biometric Authentication v2.0, accessed via native Safari on an Apple iPhone 13 Pro running iOS 18.4.1, with backend cloud components — a real device-and-cloud configuration.
• Test period: 2026-01-05 to 2026-02-04, with the compliance letter dated 2026-02-04, signed by iBeta's Director of Biometrics.

The result: 0% PA success rate / 0% IAPAR. Across all 360 attack attempts, not one spoof was accepted. The system is compliant with ISO/IEC 30107-3 Level 1.

Level 1 vs Level 2 — stated honestly

ISO/IEC 30107-3 PAD testing has levels that differ in the sophistication of the attacks thrown at the system. Level 1 uses readily available, lower-cost presentation attack instruments. Level 2 introduces more sophisticated, custom-made instruments.

Didit's result is Level 1, and Didit reports it as Level 1 — not Level 2. The 12-month retest cadence typical for these letters means the next evaluation is due around 2027-02-04, at which point a Level 2 upgrade can be considered. Being precise about the level matters: a buyer evaluating anti-spoofing claims should be able to trust that "Level 1" means Level 1.

Why it matters

Liveness is the control that stops the most common — and most scalable — identity fraud: presenting someone else's photo or a deepfake video instead of being physically present. For a regulated onboarding flow, the strength of liveness directly affects how confidently you can rely on the biometric, and regulators increasingly expect anti-spoofing to be evidenced, not asserted.

An independent PAD test result converts an anti-spoofing claim into evidence. "Our liveness is robust" is marketing. "0% attack success across 360 attempts in an accredited iBeta Level 1 evaluation under ISO/IEC 30107-3" is a fact a compliance team can cite in a security questionnaire or a regulator submission.

How Didit helps

Independently tested liveness, in the product. The biometric liveness that iBeta evaluated is the same that powers Didit's verification flow. Passive liveness is available at $0.10 and active liveness at $0.15, paired with face match (1:1) at $0.05 — and the full core KYC bundle (ID verification, passive liveness, face match, IP analysis) is $0.33 per verification, with sub-2-second inference.

A distributable result. The iBeta Level 1 PAD compliance letter is distributable on request and is linked from Didit's site — so it can support biometric and anti-spoofing claims in marketing, security questionnaires, and regulator submissions without an NDA.

Honest reporting. Didit reports the result it earned — Level 1, 0% IAPAR across 360 attempts — and does not overstate it as Level 2. The renewal calendar tracks the retest, due around 2027-02-04.

Part of a full attestation stack. The iBeta result joins ISO/IEC 27001:2022 certification (cert nº ES144068), a SOC 2 Type 1 attestation (Security, Availability, Confidentiality), and the Spanish government sandbox conclusion — itself built on facial biometrics with active liveness — that Didit's remote verification exceeds in-person standards. The biometric strength the iBeta test measures is one of the reasons that government conclusion was reachable.

Use cases

• Regulated onboarding where anti-spoofing must be evidenced to a supervisor or auditor.
• High-risk verticals (fintech, crypto, iGaming) where presentation attacks are a frequent fraud vector.
• Security questionnaires that ask specifically for ISO/IEC 30107-3 PAD testing results.
• Age-assurance and biometric-auth flows that depend on a trustworthy liveness check.

Frequently asked questions

Is Didit iBeta Level 1 or Level 2?

Level 1. Didit passed iBeta Level 1 PAD testing under ISO/IEC 30107-3 with a 0% attack success rate. Didit reports Level 1 and does not claim Level 2; a Level 2 upgrade can be considered at the next retest.

What does 0% IAPAR mean?

IAPAR — the Impostor Attack Presentation Accept Rate — is the proportion of presentation attacks the system wrongly accepts. 0% means that across all 360 attack attempts in the evaluation, not one spoof was accepted.

How many attacks were tested?

360 attack attempts — 6 species of presentation attack, attempted 10 times each, across 6 enrolled subjects.

Who ran the test?

iBeta Quality Assurance, a NIST/NVLAP-accredited testing lab (lab code 200962), under ISO/IEC 30107-3. The compliance letter is dated 2026-02-04.

Can I get the iBeta result?

Yes. The iBeta Level 1 PAD compliance letter is distributable on request and is linked from Didit's security and compliance hub.

Ready to get started?

See Didit's full attestation stack on the security and compliance hub, explore the liveness and biometric checks on the ID Verification product page, and review transparent per-check pricing on the pricing page. When you're ready, start free — 500 free KYC checks every month, with iBeta Level 1-tested liveness in every flow.