Facial Recognition SDK

Modern digital onboarding is under pressure. Fraud attacks are no longer limited to basic spoofing—they now include deepfakes, synthetic identities, and camera injection techniques that bypass traditional verification systems. At the same time, users expect instant, frictionless experiences. This creates a critical challenge for CTOs: how to strengthen identity verification without damaging conversion rates or increasing infrastructure complexity.

Our Facial Recognition & KYC SDK is built to solve exactly that. By combining passive liveness detection, on-device processing, and automated eKYC workflows, it prevents sophisticated fraud at the edge—before it ever reaches your backend systems.

More importantly, it operates as part of a multi-modal biometric platform, enabling seamless integration with fingerprint and palm recognition, as well as advanced anti-deepfake protection and ABIS capabilities for large-scale identity orchestration.

The result is a secure, scalable, and compliance-ready identity layer that operates silently, without adding friction to the user journey.

Defeating Modern Fraud: ISO 30107-3 Passive Liveness

Fraud has evolved—and so must your defenses. Static image checks and active liveness prompts are no longer sufficient against today’s attack vectors. Deepfake videos, emulators, and virtual camera injections can replicate human behavior convincingly enough to fool legacy systems. This SDK integrates ISO 30107-3 compliant passive liveness detection, designed to operate invisibly during the capture process. Instead of requiring the user to blink, move, or follow instructions, the system analyzes:

Micro-texture variations in the skin
Light reflection patterns across facial surfaces
Subtle involuntary movements and depth cues

These signals are processed in real time to determine whether the input is a genuine human presence or a synthetic attempt. Crucially, this approach is resistant to:

Deepfake video overlays
Screen replay attacks
Virtual camera injection
3D masks and high-resolution spoofs

This forms the foundation of a robust anti-deepfake layer, capable of detecting increasingly sophisticated synthetic identity attacks without introducing friction into the user flow. Because the detection runs passively, it eliminates user friction while significantly increasing security. There are no delays, no prompts, and no behavioral steps that could lead to abandonment. Deepfake detection, injection attack prevention, and passive PAD are built-in feature layers within the Face SDK. This defense-in-depth architecture ensures that each integrated capability catches attacks the others might miss, providing a unified shield rather than a collection of standalone modules.

Virtual camera injection: stopping attacks at the source

Defeating a spoofed face is only half the problem. Modern attackers don’t always try to fool the camera — they bypass it entirely.

Injection attacks work by intercepting the video stream between the physical camera and your verification system, replacing the real feed with a pre-recorded or synthetic video routed through virtual camera software. No mask required. No printed photo. The attacker sits at a keyboard and injects a deepfake or synthetic identity directly into your capture pipeline — often invisibly, at scale.

This is why liveness detection alone isn’t enough. If the input has already been tampered with before it reaches the liveness engine, even a perfectly calibrated PAD system can be defeated.

Face SDK addresses this at the capture layer. Before any liveness or matching analysis runs, the SDK validates the integrity of the camera, the device environment, and the code execution context — confirming that the video stream originates from a genuine device camera and has not been intercepted or substituted. Emulators, virtual cameras, and runtime manipulation are detected and blocked at the point of capture.

The result is a verification pipeline where both the content (what the face looks like) and the delivery mechanism (how that video reached your system) are independently validated.

Passive PAD, injection attack prevention, and deepfake detection operate as independent layers within the Face SDK — a defense-in-depth architecture where each layer is designed to catch attacks the others might miss.

Independent validation - what the results actually show

Face SDK is not validated internally — it is validated by independent, accredited institutions under adversarial conditions. This distinction is critical for technology leaders evaluating biometric vendors: in this space, claims are easy to make, but third-party validation is what defines credibility.

The solution holds ISO/IEC 30107-3 Level 1 and Level 2 PAD certifications from iBeta Quality Assurance, a FIDO-accredited laboratory — widely recognized as the most rigorous independent face liveness certification standard available commercially. It has also been evaluated by DHS Science & Technology at the Maryland Test Facility as part of RIVR 2025, the U.S. government’s benchmark program for remote identity validation systems. Two independent programs, two different frameworks, consistent results.

These certifications are not procedural milestones — they are high-bar entry points. Achieving ISO 30107-3 Level 2 requires sustained investment in R&D, exposure to adversarial testing environments, and the ability to perform under controlled attack scenarios designed specifically to break the system. Very few vendors reach this level; fewer still maintain performance across multiple independent frameworks.

RIVR 2025 extends this validation into real-world conditions. Run by DHS S&T, it evaluates not only attack detection, but also transaction speed and user experience — a combination rarely measured together. Face SDK was the only system across all evaluated vendors to reject every attack across all attack classes, on both iOS and Android, while simultaneously achieving the fastest transaction times and the highest user satisfaction scores in the program.

In practice, being certified by ISO, evaluated by DHS, and validated by FIDO-accredited laboratories is not just a technical achievement — it signals that the technology operates within the same tier as the most advanced systems in the market. It is a proxy for maturity, investment, and proven resilience under independent scrutiny.

Seamless eKYC Integration: ISO/IEC 19794-5 standards

Identity verification is not just about detecting fraud—it’s about ensuring data quality and interoperability across systems. Poor image capture, inconsistent formats, and manual review processes often create bottlenecks that slow down onboarding and increase operational costs. The SDK addresses this with full alignment to ISO/IEC 19794-5, the international standard for facial image data used in eKYC and identity documents. This enables:

Automated face capture optimization: real-time guidance ensures proper framing, lighting, and positioning
Advanced quality checks: detection of occlusions (e.g., glasses, masks), pose deviations, and geometric inconsistencies
Standardized output formats: ready for integration with government databases, identity providers, and verification services

All validation occurs instantly on the device, allowing you to reject low-quality inputs before they enter your system. This reduces manual review rates and accelerates onboarding flows. Additionally, the SDK integrates seamlessly with ABIS systems for large-scale identification (1:N), enabling deduplication, identity matching, and watchlist screening across millions of records. For CTOs, this means faster deployment, fewer edge cases, and a consistent identity layer that integrates cleanly with existing KYC/AML pipelines.

Global compliance without data exposure

Regulatory pressure is increasing across all sectors handling identity data. From GDPR in Europe to evolving AML/KYC frameworks globally, organizations are expected to protect user data while maintaining auditability and trust. Traditional biometric systems rely heavily on server-side processing, which introduces risks:

Transmission of sensitive biometric data over networks
Storage of personally identifiable information (PII) in centralized systems
Increased compliance burden and attack surface

Face SDK takes a different approach. Biometric processing occurs on-device wherever possible, with no requirement to send raw biometric data to the cloud. Matching, liveness detection, and fraud analysis run at the point of capture. Backend components handle session coordination and management — they do not store raw facial images. This architecture ensures that:

Biometric data never leaves the device
No raw facial images are stored in the cloud
GDPR and privacy-by-design principles are inherently enforced

By minimizing data exposure, you reduce both regulatory risk and infrastructure costs. There is no need for heavy backend processing or complex data protection layers, as the most sensitive operations are handled locally. This approach also strengthens the overall anti-deepfake strategy, as threats are detected at the point of capture—before they propagate through your systems.

Built for scale, designed for trust

This Facial Recognition & KYC SDK is engineered for organizations that cannot afford trade-offs between security, compliance, and user experience. It enables:

Real-time fraud prevention at the edge
Frictionless onboarding with higher conversion rates
Simplified compliance across multiple jurisdictions
Reduced operational overhead and infrastructure costs

Within Identy.io’s multi-modal biometric architecture, Face SDK acts as a core layer designed to work within the same mobile biometric stack as Finger SDK and Palm SDK, and to feed directly into Identy.io ABIS for large-scale 1:N identification workflows.

When extended with ABIS and advanced anti-deepfake capabilities, the platform supports both verification (1:1) and identification (1:N) use cases at scale—making it suitable for everything from fintech onboarding to national identity systems.

For CTOs in fintech, banking, and telecom, this is not just an upgrade—it’s a strategic shift toward a more resilient, privacy-first identity architecture.

If your current system is struggling to keep up with modern fraud or regulatory demands, it may be time to move verification closer to where it matters most: the user’s device.