Injection Attack Detection: Stopping Deepfakes in Biometric Verification

A presentation attack holds a fake artefact in front of a camera. An injection attack bypasses the camera entirely, feeding a synthetic video directly into the software capture pipeline before any liveness or face-match check runs.

Both are spoofing attacks against biometric verification. They require different defenses. In 2026, with accessible deepfake tooling and commercially available virtual camera software, a complete biometric verification system needs to address both threat classes — not just one.

Key takeaways

• Presentation attacks (printed photos, screens, masks, replay video) hold a spoof artefact in front of the physical camera. PAD (Presentation Attack Detection) defends against them.
• Injection attacks bypass the camera hardware entirely, inserting a synthetic or pre-recorded video stream directly into the software capture layer — the biometric SDK or browser API never sees a real camera feed.
• Didit's PAD is certified to iBeta Level 1 PAD (ISO/IEC 30107-3): 0% attack success and 0% IAPAR (Impostor Attack Presentation Accept Rate) across 360 tested attempts. Level 1 covers presentation attacks. Didit does not claim Level 2.
• Injection attack defense requires additional signal layers — virtual camera detection, session integrity checks, and behavioral signals — beyond what iBeta Level 1 tests.
• Both threat classes are active in 2026: presentation attacks remain common at scale; deepfake injection is increasingly accessible via off-the-shelf tooling.
• Didit combines PAD-certified liveness with over 200 fraud signals per session, including device and session integrity checks that surface virtual camera injection.

What are presentation attacks?

A presentation attack is any attempt to spoof a biometric sensor by presenting a non-live artefact in front of it. ISO/IEC 30107-3 defines four canonical types:

• Printed photo attack — a photograph of the target, printed or displayed on a screen, held in front of the camera.
• Screen replay attack — the target's face displayed on a monitor, phone, or tablet positioned in front of the camera.
• Pre-recorded video attack — a video of the target played back in front of the camera.
• 3D mask attack — a physical mask shaped to resemble the target's face.

PAD systems detect these attacks by analyzing signals that distinguish a live face from a flat reproduction: the micro-texture of skin versus paper or a screen, depth cues in lighting and shadow, the way light reflects across a curved surface, and biological micro-movements — micro-blinks, breathing motion — that static images and recordings cannot replicate.

Didit's Passive Liveness has passed iBeta Level 1 PAD testing, achieving 0% attack success and 0% IAPAR across 360 tested attempts. Level 1 covers printed and digital screen attacks and replay video. Level 2, which extends to 3D masks and prosthetics, is a separate and more demanding test — Didit does not claim Level 2 certification.

What are injection attacks?

An injection attack does not present anything in front of a camera. Instead, it inserts a synthetic or pre-recorded video stream directly into the software capture pipeline — intercepting the data between the camera hardware and the verification application before any liveness model runs.

The attacker uses a virtual camera driver: software that appears to the operating system as a legitimate camera device, but routes a manipulated video stream to the identity verification SDK or browser API. The fake stream can be a deepfake generated from static photos of the target, a replay of a genuine prior verification session, or a real-time synthetic face rendered to defeat specific liveness challenges.

Why this matters: a PAD model trained on live camera inputs can be defeated by injection if the model assumes its input comes from a physical camera. The PAD analysis runs on synthetic or replayed data that may pass the liveness classifier because the attack does not present a flat photo — it presents what looks like a coherent real-time video stream.

Injection attacks require more technical sophistication than presentation attacks, but the tooling has become widely accessible. Commercial deepfake generation and virtual camera software are available to anyone, and documentation for bypassing liveness checks via virtual cameras is published openly online.

Why both threat classes matter in 2026

Five years ago, the dominant biometric fraud vector was the presentation attack. Operators who deployed PAD-certified liveness could address the vast majority of real-world attempts.

Today the threat landscape has bifurcated. Presentation attacks remain common — they are inexpensive, scalable, and effective against flows without PAD. But injection attacks are growing, driven by three shifts:

Accessible deepfake generation. Photo-to-video deepfake synthesis now runs on consumer hardware in seconds using publicly available models trained on a handful of reference images. An attacker needs only a document scan and a few social media photos to generate a usable face video.

Virtual camera proliferation. Virtual camera drivers installed for legitimate purposes — video conferencing, streaming, content production — are trivially repurposed for injection fraud. The operating system cannot distinguish a legitimate OBS virtual camera from a fraud-purpose one.

Industrialized attack pipelines. Fraud rings have automated both attack types, combining them with synthetic identity packages — fabricated documents paired with generated faces — to pass layered verification flows at scale.

A verification system certified against presentation attacks but blind to injection is meaningfully weaker than the certification implies.

How Didit defends against both

Against presentation attacks: Didit's Passive Liveness is iBeta Level 1 PAD certified — 0% IAPAR across 360 attempts, covering printed photos, screen displays, and video replay. The model analyzes depth cues, micro-texture, and biological micro-movements that presentation artefacts cannot replicate.

Against injection attacks: Beyond the PAD model, every Didit session collects over 200 fraud signals, including device integrity signals, browser and OS environment analysis, and session consistency checks. Virtual camera injection leaves detectable traces: abnormal driver signatures, inconsistent video metadata, missing sensor-noise patterns, and session timing anomalies that live camera captures do not produce.

The Workflow Builder lets you configure response actions when injection signals fire: hold for manual review, decline outright, require a re-attempt on a different device, or step up to Active Liveness — which issues a randomized real-time challenge that is significantly harder to pass with a pre-generated deepfake. All of this is configurable without code changes.

Use cases

Crypto exchange KYC onboarding. Exchanges are high-value targets for synthetic-identity fraud combining fabricated documents with deepfake faces. Effective defense requires both PAD and injection signal layers — PAD alone misses the injection path.

Fintech account recovery. Account recovery flows are targeted because they allow credential reset. Biometric step-up with injection detection prevents an attacker who has a target's photos from resetting account access remotely without physical presence.

iGaming age and identity verification. Regulated gaming platforms face presentation attacks from underage users and injection attacks from previously banned accounts. Both defenses are required to satisfy licence obligations.

High-value re-authentication. Transfer authorization, wallet address changes, and SIM-swap reversal are the highest-return targets for injection attacks. Detection at these checkpoints protects the highest-risk user actions.

How Didit helps

All liveness and injection defenses run inside a single Didit session — no separate integration per signal type:

1. In the Business Console, add Passive Liveness or Active Liveness and any risk modules to your workflow in the Workflow Builder.
2. Create a session from your backend: POST /v3/session/ with workflow_id and vendor_data.
3. Redirect the user to session.url — the hosted flow runs PAD, device integrity checks, and injection-signal analysis in parallel.
4. Read the result from GET /v3/session/{sessionId}/decision/ or the session.status.updated webhook. The response includes liveness_checks[] for the PAD result and risk signals from the 200+ fraud signal layer.

Use the Workflow Builder to branch on the results: a high injection-risk score routes to Active Liveness, manual review, or a device change prompt — all without shipping code.

Frequently asked questions

What is the difference between a presentation attack and an injection attack?

A presentation attack holds a spoof — photo, screen, mask — in front of the physical camera. An injection attack bypasses the camera, feeding a synthetic video stream directly into the capture software. They require different detection mechanisms.

Is Didit certified against injection attacks specifically?

Didit's iBeta Level 1 PAD certification covers presentation attacks per ISO/IEC 30107-3. Injection attack defense is provided through the 200+ fraud signal layer and device/session integrity analysis. There is no equivalent third-party certification standard for injection attacks the way there is for PAD.

Does deepfake detection require special integration?

No. Injection and deepfake signals are collected automatically within every Didit session. You configure response actions in the Workflow Builder — no additional SDK integration or custom code is required.

Can injection attacks defeat Active Liveness?

Real-time challenge-response makes injection significantly harder — the synthetic feed must respond to a randomized, unpredictable challenge at the moment it is issued. That is materially more difficult than replaying a pre-recorded deepfake, and the additional session-timing signals make injection attempts more detectable.

Does Didit claim Level 2 PAD certification?

No. Didit's iBeta certification is Level 1, which covers printed, digital, and replay presentation attacks. Level 2 extends to 3D masks and prosthetics. Didit does not claim Level 2.

Ready to get started?

• Learn the feature → Liveness Detection docs
• See it in the platform → User Verification
• See the trust hub → Security & Compliance
• Check the price → Pricing — Passive Liveness $0.10, Active Liveness $0.15, 500 free/month
• Start free → business.didit.me