How Does Liveness Detection Work? Active vs Passive

Liveness detection is a biometric check that confirms the person in a camera frame is real and physically present — not a photograph, a mask, or a synthetic video. It is the technical layer that separates "a face appears in the image" from "a live human is actually there."

Without it, face matching is straightforward to spoof. An attacker with a target's photo — freely available on social media or in a breach database — can hold it in front of a camera and pass a face-match check. Presentation Attack Detection, or PAD, is the discipline that closes this gap. Didit's liveness modules run inside every verification session and return a decision in under 2 seconds.

Key takeaways

• Liveness detection answers one question: is a live person present in front of the camera right now?
• Passive liveness ($0.10) requires no user action — the model analyzes a single capture for signs of life.
• Active liveness ($0.15) issues a challenge — turn, blink, or follow a target — and verifies a real physical response.
• PAD (Presentation Attack Detection) is the ISO/IEC 30107-3 standard that defines attack types and acceptance thresholds.
• Didit's passive liveness is certified by iBeta to Level 1 PAD: 0% attack success and 0% IAPAR (Impostor Attack Presentation Accept Rate) across 360 attempts.
• The full KYC (Know Your Customer) core flow — ID Verification + Passive Liveness + Face Match + IP analysis — costs $0.33, with 500 free checks every month.

What is liveness detection?

Liveness detection is the part of a biometric flow that verifies the subject is a real, physically present person — not a spoof. The formal term for the field is Presentation Attack Detection (PAD), standardized in ISO/IEC 30107-3. A PAD system classifies each session as either genuine or as a presentation attack: an attempt to fool the biometric sensor by presenting something other than a live face.

The primary performance metric is the IAPAR — Impostor Attack Presentation Accept Rate. It measures what fraction of spoofing attempts the system incorrectly classifies as genuine. A lower IAPAR is better; 0% means the system rejected every attack in the test set.

Why it matters

Face matching alone asks: does this face match a reference image? It does not ask: is this a live person? Those are different questions. A fraudster who obtains a document photo — from a breach dump, a social media profile, or a phished ID scan — can answer the first question without being present at all.

Liveness closes that gap. Combined with document verification and face match, it builds the three-legged check that underpins regulated KYC: the right document, the right face, and a live person holding them together.

Regulators increasingly reference biometric liveness in remote identity proofing frameworks. Didit's overall verification process has received the Tesoro/SEPBLAC/CNMV attestation — the only provider formally attested by an EU member-state government as safer than in-person identification — and liveness is a core component of that assurance.

Passive liveness: how it works

Passive liveness requires nothing from the user. The person looks toward the camera; the system captures a frame or short sequence and analyzes it without any prompt.

The analysis goes well beyond checking whether a face is detected. The model looks for signals that distinguish a real, three-dimensional surface from a flat reproduction: micro-texture of skin versus paper or screen, depth cues in lighting and shadow, the way light reflects across a curved face versus a flat substrate, and natural micro-movements — involuntary micro-blinks, breathing motion — that static images cannot replicate.

The result is a classification (genuine or attack) plus a confidence score, returned in under 2 seconds. Because passive liveness requires no user action, it integrates cleanly into any onboarding flow with minimal friction.

Catches: printed photographs, screens replaying a face, replay video captured without a specific real-time challenge.

Best for: consumer onboarding, age assurance, step-up re-authentication — any flow where friction is a conversion concern.

Active liveness: how it works

Active liveness adds a real-time challenge step. The system prompts the user to perform a physical action: turn their head to a specific angle, blink, smile, or track a moving point on screen. The response is recorded and cross-checked against what a live, physically present person would produce.

The challenge is randomized per session. A printed photo cannot turn its head. A pre-recorded video cannot match a challenge it was not filmed for. This makes active liveness more resilient against replay attacks and early-generation synthetic video.

Catches: everything passive catches, plus certain replay attacks where the attacker uses pre-recorded video to spoof a session.

Best for: higher-risk flows — financial onboarding with AML (Anti-Money Laundering) requirements, high-value account recovery, regulated crypto onboarding.

Use cases

Consumer fintech onboarding. Neobanks and payment platforms run passive liveness in the KYC core flow so every new user is confirmed as a live person before account activation. The $0.33 all-in cost makes it viable at scale.

Crypto exchange and VASP compliance. Exchanges and virtual asset service providers facing FATF requirements need biometric assurance that holds up to regulatory scrutiny. Active liveness is the appropriate level.

Age-gated digital services. Gaming, streaming, and regulated consumer platforms that use facial age estimation need liveness to confirm the face being analyzed belongs to a live person in front of the camera, not a held-up photo.

Account re-authentication. When a user initiates a high-value action — a large transfer, a credential change — Biometric Auth ($0.10) paired with liveness re-confirms the enrolled user is physically present, not an account-takeover attacker with device access.

How Didit helps

Liveness runs inside a Didit verification session — not as a separate standalone call. The integration works as follows:

1. In the Business Console, open the Workflow Builder and add Passive Liveness or Active Liveness to your workflow alongside ID Verification and Face Match.
2. From your backend, create a session: POST /v3/session/ with workflow_id, vendor_data, and callback_url.
3. Redirect the user to session.url — the hosted Didit UI handles camera access, capture, and the PAD model run. No client-side SDK changes are needed to add liveness to an existing flow.
4. Receive the result via webhook (session.status.updated) or poll GET /v3/session/{sessionId}/decision/. The liveness_checks[] array in the response carries the status, confidence score, and detected attack type if applicable.

The Workflow Builder lets you configure branching on the liveness outcome: route a DECLINED to manual review, allow a single re-attempt, or hard-reject — all without code deploys.

Frequently asked questions

What is the difference between passive and active liveness?

Passive liveness analyzes a single capture with no user prompt. Active liveness issues a real-time challenge — turn, blink, or track — that a live person must respond to. Passive is lower friction; active provides higher assurance against replay attacks.

What does iBeta Level 1 PAD mean?

iBeta is a NIST-accredited independent lab. Level 1 PAD testing covers printed photos, screen replay, and pre-recorded video attacks per ISO/IEC 30107-3. Didit achieved 0% attack success and 0% IAPAR across 360 tested attempts. Level 2 extends coverage to 3D masks and prosthetics — a separate, more demanding test that Didit does not currently claim.

How much does liveness cost?

Passive Liveness is $0.10 per check; Active Liveness is $0.15. Both count toward the 500 free verifications included every month — no minimums, no seat fees.

Does liveness stop deepfake injection attacks?

PAD addresses attacks where an artefact is presented in front of a physical camera. Injection attacks — where synthetic video is fed directly into the capture pipeline, bypassing the camera — are a distinct threat class requiring additional signal layers. See the injection attack detection guide for how Didit addresses both.

Does liveness replace document verification?

No. Liveness confirms a live person is present; it does not confirm who they are. Document verification and face match establish identity; liveness confirms presence. All three together constitute secure KYC.

Ready to get started?

• Learn the feature → Liveness Detection docs
• See it in the platform → ID Verification product page
• Check the price → Pricing — Passive Liveness $0.10, Active Liveness $0.15, 500 free/month
• Start free → business.didit.me