What is iBeta Biometric Testing? A Complete Guide to Face Liveness Certification

When a bank asks you to take a selfie to verify your identity, how do they know you're really there — and not someone holding up a printed photo of your face? The answer lies in liveness detection technology, and the gold standard for testing it is iBeta certification. If you've ever wondered what those "iBeta Level 1 Certified" badges mean, this guide will explain everything.

What is iBeta?

iBeta Quality Assurance is a US-based software testing company and the world's leading independent biometric testing laboratory. They are:

• NIST NVLAP Accredited — The only biometrics testing lab accredited by the National Institute of Standards and Technology (NIST) under the National Voluntary Laboratory Accreditation Program
• FIDO Alliance Accredited — First lab accredited to conduct biometric evaluations for the FIDO Alliance Biometric Component Certification Program
• Android Security Partner — Recognized by Google for Android biometric testing

When a company claims their face recognition or liveness detection system is "iBeta certified," it means an independent, accredited laboratory has rigorously tested the system against standardized attacks and verified it meets international security standards.

What is PAD Testing?

PAD (Presentation Attack Detection) testing evaluates how well a biometric system can detect and reject fake biometric samples. For face recognition, this means testing whether the system can tell the difference between:

• A real, live person standing in front of the camera
• A spoofing attack using photos, videos, masks, or other artifacts

iBeta's PAD testing follows the ISO/IEC 30107-3 international standard, which defines:

• How to conduct presentation attack detection testing
• What types of attacks to test against
• How to measure and report results
• Criteria for passing or failing

How Face Liveness Testing Works

The Testing Process

1. Genuine Presentations (Bona Fide Tests)

• Real people present their faces to the system
• Tests normal usage scenarios
• Measures false rejection rate (BPCER)

2. Attack Presentations (Spoof Tests)

• Testers attempt to fool the system with fake faces
• Multiple attack types are tested
• Measures attack success rate (APCER)

3. Results Calculation

• APCER and BPCER are calculated for each attack type
• IAPMR (overall attack success rate) is computed
• System must achieve < 0.3% IAPMR to pass

4. Certification

• If the system passes, iBeta issues a confirmation letter
• Results are published on iBeta's website
• Company can claim "iBeta PAD Level X Certified"

PAD Testing Levels: Level 1 vs Level 2

iBeta offers two levels of PAD testing, each simulating different attacker capabilities:

Level 1 — Basic Attacks

Budget: $30 per attack artifact Time: All 150 attacks completed within 8 hours Equipment: Items readily available in home/office

Attack Types:

• Printed Photos: High-resolution photos printed on paper
• Paper Masks: Cut-out face photos with eye holes
• Screen Photos: Face displayed on phone/tablet/monitor
• Video Replay: Playing video of the target person

Who Needs Level 1:

• Apps requiring basic identity verification
• Low-risk transactions
• General consumer applications

Level 2 — Advanced Attacks

Budget: $300 per attack artifact Time: 48+ hours for artifact creation (6 subjects) Equipment: Specialized tools including 3D printers

Attack Types (includes all Level 1, plus):

• 3D Printed Masks: Custom-printed face replicas
• Latex Masks: Realistic flexible face masks
• Resin Masks: Detailed cast face replicas
• Silicone Masks: High-quality prosthetic-grade masks

Who Needs Level 2:

• Banking and financial services
• Government identity systems
• High-security access control
• Regulatory compliance requirements

Pass/Fail Criteria

To pass either level, the system must achieve:

• IAPMR (Impostor Attack Presentation Match Rate) < 0.3% — Less than 0.3% of attacks succeed
• BPCER (Bona Fide Presentation Classification Error Rate) < 15% — Less than 15% of real users rejected

Key Terms Explained (Jargon Buster)

1. Presentation Attack

What it is: Any attempt to interfere with a biometric system using fake or altered biometric samples.

Simple explanation: Trying to trick a face recognition system by presenting something other than your real, live face — like a photo, video, or mask of someone else.

Types of presentation attacks:

• Photo attacks: Printed or digital photos
• Video attacks: Recorded or live video playback
• Mask attacks: 2D paper masks or 3D physical masks
• Makeup attacks: Using cosmetics to alter appearance

2. Liveness Detection

What it is: Technology that determines whether a biometric sample comes from a living person present at the point of capture.

Simple explanation: The system checks if there's a real, live human in front of the camera — not a photo, video, or mask.

Two types:

• Active Liveness: User must perform actions (blink, smile, turn head)
• Passive Liveness: System detects liveness without user actions (what iApp uses)

3. APCER (Attack Presentation Classification Error Rate)

What it is: The percentage of attack presentations that are incorrectly classified as genuine.

Simple explanation: How often the system is fooled by fake faces. Lower is better.

Formula: APCER = (Number of successful attacks) / (Total attack attempts) × 100%

Example: If 3 out of 1,000 photo attacks succeed, APCER for photos = 0.3%

4. BPCER (Bona Fide Presentation Classification Error Rate)

What it is: The percentage of genuine presentations that are incorrectly rejected.

Simple explanation: How often the system rejects real users. Lower is better.

Formula: BPCER = (Rejected genuine attempts) / (Total genuine attempts) × 100%

Example: If 50 out of 1,000 real users are rejected, BPCER = 5%

5. IAPMR (Impostor Attack Presentation Match Rate)

What it is: The overall rate at which attack presentations are incorrectly accepted by the system across all attack types.

Simple explanation: The combined success rate of all spoofing attacks. This is the key metric for iBeta certification — must be below 0.3% to pass.

Why it matters: Even if a system blocks 99% of photo attacks but fails against video attacks, the overall IAPMR could still be high.

Why iBeta Certification Matters

1. Independent Verification

iBeta is an independent third party with no financial interest in the outcome. Their accreditation by NIST means their testing processes are audited and verified.

2. Standardized Testing

Following ISO/IEC 30107-3 ensures consistent, reproducible testing. You can compare different systems fairly because they're tested the same way.

3. Real-World Attack Simulation

iBeta testers use actual spoofing techniques that fraudsters might use. Passing means the system can defend against practical attacks.

4. Regulatory Compliance

Many industries require biometric systems to meet specific security standards:

• Banking: Know Your Customer (KYC) requirements
• Government: Identity document issuance
• Healthcare: Patient identity verification
• Finance: Anti-money laundering (AML) compliance

5. Trust & Credibility

The iBeta certification badge signals to customers that a system has been rigorously tested and meets international security standards.

What Problems Does iBeta Certification Solve?

Problem	Without Certification	With iBeta Certification
Photo attacks	May be fooled by printed photos	Verified to detect and reject
Video replay	Vulnerable to screen playback	Tested against video attacks
Mask attacks	Unknown resistance	Level 2 tests 3D/latex masks
Regulatory compliance	Difficult to prove security	Third-party verification
Customer trust	"We're secure" claims unverified	Independent lab certification
Fraud prevention	Unknown effectiveness	Quantified < 0.3% attack success

iApp Technology's iBeta Certification

iApp Technology's Face Passive Liveness Detection system has achieved iBeta PAD Level 1 certification, demonstrating:

Test Results

• 99.43% accuracy across 7,680 tests
• < 0.3% IAPMR — Passes ISO/IEC 30107-3 requirements
• Successfully detects printed photos, screen displays, paper masks, and video replays

What This Means for Users

• Bank-grade security for identity verification
• Passive detection — No need for users to blink or turn their head
• Fast processing — Results in under 0.4 seconds
• Internationally verified — Not just a self-claim

View the Certificate

View iApp's iBeta Certificate

How to Use iApp's iBeta-Certified Liveness Detection

Available APIs

Service	Description	Certification
Face Passive Liveness	Detects spoofing from a single photo	iBeta Level 1
Face Verification	Compares two faces for identity match	ISO 19795 compliant
Face Detection	Detects and locates faces in images	High accuracy

Example: Face Liveness Detection

import requests

def check_face_liveness(image_path, api_key):
    """
    Check if a face image is from a real person or a spoof attack.
    iBeta Level 1 certified accuracy.
    """
    response = requests.post(
        'https://api.iapp.co.th/v3/store/ekyc/face-passive-liveness',
        headers={'apikey': api_key},
        files={'file': open(image_path, 'rb')}
    )

    result = response.json()

    return {
        'is_real': result['predict'] == 'REAL',
        'is_spoof': result['predict'] == 'SPOOF',
        'confidence': result['score'],
        'processing_time': result['duration']
    }

# Example usage
result = check_face_liveness('selfie.jpg', 'YOUR_API_KEY')

if result['is_real']:
    print(f"✓ Real face detected (confidence: {result['confidence']:.2%})")
else:
    print(f"✗ Spoof detected! (confidence: {result['confidence']:.2%})")

Example: Complete eKYC Flow with Liveness

import requests

def verify_identity_with_liveness(id_card_image, selfie_image, api_key):
    """
    Complete eKYC verification:
    1. Extract data from ID card (OCR)
    2. Check selfie liveness (iBeta certified)
    3. Compare faces (verification)
    """

    # Step 1: OCR the ID card
    ocr_result = requests.post(
        'https://api.iapp.co.th/thai-national-id-ocr/v3',
        headers={'apikey': api_key},
        files={'file': open(id_card_image, 'rb')}
    ).json()

    # Step 2: Check liveness of selfie (iBeta Level 1 certified)
    liveness_result = requests.post(
        'https://api.iapp.co.th/v3/store/ekyc/face-passive-liveness',
        headers={'apikey': api_key},
        files={'file': open(selfie_image, 'rb')}
    ).json()

    if liveness_result['predict'] == 'SPOOF':
        return {'success': False, 'error': 'Spoof attack detected'}

    # Step 3: Compare ID photo with selfie
    verification_result = requests.post(
        'https://api.iapp.co.th/face-verification',
        headers={'apikey': api_key},
        files={
            'image1': open(id_card_image, 'rb'),
            'image2': open(selfie_image, 'rb')
        }
    ).json()

    return {
        'success': True,
        'person_name': ocr_result.get('name_th'),
        'id_number': ocr_result.get('id_number'),
        'face_match': verification_result.get('match'),
        'liveness_verified': True
    }

# Example usage
result = verify_identity_with_liveness(
    'thai_id_card.jpg',
    'live_selfie.jpg',
    'YOUR_API_KEY'
)
print(result)

Getting Started

For Business Users

Integrate iBeta-certified liveness detection into your applications:

1. Sign up: Get your API key
2. Choose your API: Face Passive Liveness for spoof detection
3. Integrate: Simple REST API works with any language
4. Deploy: Add security to your identity verification flow

Resources

1. API Documentation: Face Passive Liveness API
2. Face Verification: Face Verification API
3. Complete eKYC: eKYC Solutions
4. View Certificate: iBeta Confirmation Letter
5. Join Community: Discord

Conclusion

iBeta biometric testing is the gold standard for verifying face liveness detection systems. When you see "iBeta Level 1 Certified" or "iBeta Level 2 Certified," it means an independent, NIST-accredited laboratory has tested the system against real-world spoofing attacks and verified it meets international security standards (ISO/IEC 30107-3).

iApp Technology's Face Passive Liveness Detection has achieved iBeta PAD Level 1 certification, proving it can detect and reject photo attacks, video replays, paper masks, and screen displays with over 99% accuracy — giving your applications bank-grade security for identity verification.

Ready to add iBeta-certified liveness detection to your application? Sign up for free and start using our certified APIs today!

---

Questions? Join our Discord Community or email us at support@iapp.co.th.

iApp Technology Co., Ltd. Thailand's Leading AI Technology Company | iBeta PAD Level 1 Certified

---

Sources:

• iBeta Biometrics Testing
• ISO 30107-3 PAD Testing at iBeta
• iBeta PAD Spoofing Testing