Biometric authentication is only as strong as its ability to tell a real person from a spoof. As attackers shift from printed photos to 3D silicone masks and deepfakes, presentation attack detection (PAD) — the technology that stops these spoofs — has become a core requirement for any serious identity verification system.
ISO/IEC 30107-3 is the international standard that defines how PAD is tested, and its Levels 1,2,and 3 conformance is the threshold regulated industries — banking, government, telecom — now treated as the baseline. Identy.io’s facial biometric technology has been independently certified to ISO/IEC 30107-3 Level 1 and 2 by iBeta with a perfect score (0% Imposter Attack Presentation Match Rate). This page explains what that means, how the standard works and why it matters when you are choosing a biometric vendor.
Deepfakes are becoming more sophisticated, increasing the risk of fraud and identity manipulation in digital environments. Download our 10-step guide to learn how to detect threats early and protect your organization with proven best practices.
What is ISO/IEC 30107-3?
ISO/IEC 30107-3 is part of the ISO/IEC 30107 family of standards on biometric presentation attack detection. The family has three parts:
- Part 1 (ISO/IEC 30107-1): Framework — defines the concepts and terminology of presentation attacks.
- Part 2 (ISO/IEC 30107-2): Data formats — specifies how PAD-related data is exchanged between systems.
- Part 3 (ISO/IEC 30107-3): Testing and reporting — the methodology testing labs use to measure whether a biometric system can reliably distinguish a real human from a spoof. Part 3 is the one that matters for certification. It defines the metrics, the testing protocol and the categories of attacks (“Presentation Attack Instruments”, or PAIs) that a system must withstand. Without a common methodology, vendor claims of “anti-spoofing” could not be compared objectively.
The standard applies to all major biometric modalities: face, fingerprint, iris, voice and palm. The most common certification today is for facial recognition and facial liveness, because face is the most-attacked modality.
Two core metrics measure PAD performance under ISO/IEC 30107-3:
- IAPMR (Imposter Attack Presentation Match Rate): the share of spoof attacks the system wrongly accepts as genuine. Lower is better.
- BPCER (Bona Fide Presentation Classification Error Rate): the share of legitimate users the system wrongly rejects. Lower is better.
A system performs well only when both numbers stay low at the same time.
PAD Level 1 vs Level 2: What's the Difference?
The Levels refer to the sophistication of the attacks a system is tested against. Both levels use the same underlying metrics; the difference is the difficulty of the PAIs and the bar for passing.
| Aspect | Level 1 | Level 2 |
|---|---|---|
| Attack types tested | Basic — printed photos, screen replays, simple paper or rubber masks | Advanced — 3D silicone and resin masks, high-resolution custom prints, dynamic video replays, deepfake-style synthetic media |
| Effort and cost to produce the spoofs | Low; consumer-grade materials | Significant; specialized fabrication and expert effort |
| What passing proves | The system resists casual or opportunistic spoofing | The system resists organized, professional and well-funded attacks |
| Typical use cases | Consumer applications, low-risk authentication | Banking onboarding, government digital identity, telecom KYC, high-value transactions |
| Common buyer requirement | Sufficient for low-risk consumer products | The de facto standard for regulated industries |
In practice, Level 1 is the entry tier and Level 2 is what buyers in regulated sectors actually require. A determined attacker with a modest budget can usually defeat a Level 1 system. Level 2 is designed to stop the kind of attacks a fraud ring would actually invest in: a $2,000 silicone mask, a high-end deepfake pipeline, a coordinated replay attack.
To pass Level 2, a system must detect every spoof in the tested PAI categories — the bar for a perfect score is 0% IAPMR — while keeping false rejections of legitimate users low.
Get a tailored demo of our contactless biometric platform and see how it fits your specific use case.
Who Tests ISO 30107-3? Understanding iBeta and NIST
There is frequent confusion about who actually issues ISO 30107-3 certifications, so clarity matters here.
ISO 30107-3 conformance testing is performed by independent testing laboratories. The most widely recognized in the biometric industry is iBeta Quality Assurance, a US-based lab accredited by NIST under the National Voluntary Laboratory Accreditation Program (NVLAP) for biometric testing.
The process is straightforward:
- The vendor submits its biometric SDK to the lab.
- The lab attempts a battery of presentation attacks at the relevant level (1 or 2), using a defined range of PAIs.
- The lab records the system’s response and computes IAPMR and BPCER.If the system
- meets the conformance criteria, the lab issues a Letter of Conformance referencing ISO/IEC 30107-3 and the level achieved.
A few clarifications buyers often need:
- NIST does not directly issue ISO 30107-3 certifications. NIST accredits labs (such as iBeta) that perform the testing. A vendor’s reference to “NIST” in this context normally means tested by a NIST/NVLAP -accredited lab to the ISO 30107-3 standard.
- ISO 30107-3 conformance is distinct from NIST FRTE/FRVT. NIST runs its own face recognition evaluations, which measure recognition accuracy rather than anti-spoofing. Both are reputable; they measure different things.
- Conformance letters are dated and scoped. When evaluating vendors, ask for the letter and check the test date and the specific PAI categories included.
Why ISO/IEC 30107-3 Level 2 Matters for Procurement and Compliance
This is where the standard moves from a technical detail to a business requirement.
In regulated industries, ISO 30107-3 Level 2 has become the procurement baseline for biometric identity verification:
- Banking and financial services. Anti-money-laundering (AML) and know-your-customer (KYC) regulations increasingly require demonstrable anti-spoofing capability for remote onboarding. ISO 30107-3 Level 2 is the standard evidence requested in RFPs.
- Government and digital identity. National digital ID programs, eGovernment services and electoral systems require deepfake-resistant identity proofing. Level 2 closes the procurement question on PAD.
- Telecom. SIM activation, customer onboarding and SIM-swap prevention are regulated in most countries. National regulators and GSMA guidelines push toward standardized PAD testing.
- Enterprise security and workforce identity. As AI-driven account takeover grows, security teams now require Level 2 PAD for high-privilege access and remote workforce authentication.
A common mistake during vendor selection is treating “we have liveness” as equivalent to “we have ISO 30107-3 Level 2.” They are not the same. Many vendors implement liveness detection without ever submitting it to independent testing — or test only at Level 1.
When evaluating a biometric vendor, the practical questions to ask are:
- Has the system been tested under ISO/IEC 30107-3? At what level?
- Which laboratory performed the testing, and is it NIST/NVLAP or FIDO accredited?
- What was the test date and scope (which PAI categories, which biometric modalities)?
- Can you share the conformance letter?
- Does the certification cover the specific component (face, fingerprint, etc.) you intend to deploy?
- A vendor that can answer these clearly belongs on the shortlist. A vendor that cannot, should not.
How Identy.io Achieved a Perfect-Score Level 2 PAD Certification
Identy.io’s facial liveness technology — integrated across our facial recognition SDK and identity verification platform — has been independently tested by iBeta to ISO/IEC 30107-3 Level 1 andLevel 2 with a perfect-score result: 0% IAPMR across the tested PAI categories.
In practical terms, every spoof presented to the system during testing was correctly identified, including:
- 3D silicone and resin masks (hyper-realistic, custom-fabricated)
- High-resolution printed and screen-replayed images
- Dynamic video presentation attacks
- Synthetic media including deepfake-style attacks
- The certification covers Identy.io’s facial liveness component, which is available across the Identy biometric SDK family — including the Finger SDK, Facial Recognition SDK and Palm SDK — and as part of our full identity verification platform.
What this means for our customers:
- Banking, government and telecom buyers can deploy Identy.io confident that the anti-spoofing layer meets the standard their regulators expect.
- Security and procurement teams can document compliance with reference to an independent conformance letter.
- The same certified liveness underpins Identy.io’s broader work on deepfake detection, closing the loop on AI-driven identity fraud.
Get a tailored demo of our contactless biometric platform and see how it fits your specific use case.
Frequently Asked Questions about ISO/IEC 30107-3 PAD Level 2
What is ISO/IEC 30107-3?
ISO/IEC 30107-3 is the international standard that defines how to test and report on biometric presentation attack detection (PAD). It specifies the metrics, testing methodology and Presentation Attack Instruments (PAIs) used to measure whether a biometric system can reliably distinguish a real human from a spoof.
What’s the difference between PAD Level 1 and Level 2?
Level 1 tests biometric systems against basic, low-cost spoofs such as printed photos and screen replays. Level 2 tests against far more sophisticated attacks, including 3D silicone masks, custom prints and deepfake-style synthetic media. Level 2 is the de facto requirement in regulated industries such as banking, government and telecom.
Is ISO 30107-3 the same as NIST certification?
No. NIST does not issue ISO 30107-3 certifications directly. NIST accredits independent labs such as iBeta under the NVLAP program, and those labs perform the ISO 30107-3 conformance testing. NIST also runs its own separate face recognition evaluations (FRTE/FRVT), which measure recognition accuracy rather than anti-spoofing.
How long is ISO 30107-3 certification valid?
ISO 30107-3 conformance letters reference a specific test date and scope. There is no formal expiration, but the biometric industry generally treats certifications older than two to three years as outdated, given how quickly attack techniques evolve. Vendors typically retest as their systems are updated.
Does ISO 30107-3 cover deepfakes?
Yes, at Level 2. The PAI categories tested at Level 2 include synthetic and video-based presentation attacks, which encompass deepfake-style spoofing. Level 1 testing generally does not cover these.
Which biometric modalities can be certified under ISO 30107-3?
The standard applies to all major biometric modalities — face, fingerprint, iris, voice and palm. Face is the most commonly certified modality today because it is the most-attacked.
How do I verify a vendor’s ISO 30107-3 claim?
Ask the vendor for the conformance letter issued by the testing laboratory. The letter should reference the standard (ISO/IEC 30107-3), the conformance level achieved, the test date, the PAI categories tested and the specific biometric component covered. A NIST/NVLAP or FIDO-accredited lab name on the letter confirms the testing was independent.
Is ISO 30107-3 Level 2 required for banking or government?
Increasingly, yes. Specific requirements vary by jurisdiction, but regulators and procurement teams in banking, fintech, government digital identity, electoral systems and telecom widely treat Level 2 as the baseline expectation for anti-spoofing in any biometric onboarding or authentication system.
Bibliography
- The standards, regulatory guidance and testing methodology referenced on this page are available from the following primary sources.
- International Organization for Standardization. ISO/IEC 30107-3:2023 — Information technology — Biometric presentation attack detection — Part 3: Testing and reporting. iso.org/standard/79520.html
- International Organization for Standardization. ISO/IEC 30107-1:2023 — Information technology — Biometric presentation attack detection — Part 1: Framework. iso.org/standard/83828.html
- International Organization for Standardization. ISO/IEC 30107-2:2017 — Information technology — Biometric presentation attack detection — Part 2: Data formats. iso.org/standard/67380.html
- iBeta Quality Assurance. ISO 30107-3 Presentation Attack Detection Confirmation Letters. ibeta.com
- National Institute of Standards and Technology. National Voluntary Laboratory Accreditation Program (NVLAP). nist.gov/nvlap
- National Institute of Standards and Technology (2025). NIST Special Publication 800-63, Revision 4 — Digital Identity Guidelines. pages.nist.gov/800-63-4
- Busch, C. & Thieme, M. The ISO/IEC 30107-3 standard for testing of Presentation Attack Detection. International Biometric Performance Testing Conference, NIST. nist.gov
