Liveness Detection: Preventing Identity Spoofing with Face Verification Technology in Australia

Liveness detection is the technology that determines whether a face presented to a camera is a real, live person or a spoofing artefact — a printed photo, a video replay, a 3D mask, or a deepfake injected into the data stream. For Australian financial institutions subject to AUSTRAC supervision and AML/CTF Act obligations, liveness detection is the technical backbone of compliant remote identity verification.

Biometric liveness transactions are projected to exceed 50 billion annually by 2027, doubling from 2025 levels. Companies lost over $200 million to deepfake fraud in Q1 2025 alone, and injection attacks rose 40% year-on-year. Australia's rapid adoption of digital financial services — from neobanks to digital asset exchanges — makes robust liveness verification a regulatory necessity, not an optional enhancement.

For broader context on automated identity verification, see our guide to automated document verification. For sector trends, see our analysis of digital identity trends 2026.

What is liveness detection?

Liveness detection is an anti-spoofing layer that confirms a live human face is present before any biometric comparison. Without it, any facial recognition system is vulnerable to a high-quality photograph.

Active liveness detection asks the user to perform a real-time action: blink, turn their head, say a word. Vulnerability: modern deepfake tools synthesise facial movements in real time. First-attempt rejection rates reach 35% in unguided flows.

Passive liveness detection requires no user action. The system silently analyses skin micro-texture, specular light reflections, 3D depth cues, and remote photoplethysmography (rPPG). Leading implementations operate in under 300 milliseconds.

Passive liveness is now the industry standard for high-volume consumer KYC. One enterprise implementation documented 80% reduction in onboarding time and 65% drop in fraud switching from active to passive.

The emerging best practice is a hybrid approach: passive screening for all users, active challenge only for elevated risk signals.

The attack landscape

Presentation attacks

Injection attacks — the critical blind spot

Injection attacks bypass the camera entirely. A deepfake is fed directly into the data pipeline. A system can be fully ISO 30107-3 certified and remain 100% vulnerable to injection attacks. ROC.ai tracked 8,065 injection attempts against a single financial institution in 8 months (2025). Effective protection requires PAD at the sensor level plus IAD (Injection Attack Detection) at the pipeline level.

ISO 30107-3: the global benchmark

ISO/IEC 30107-3 is the international standard for Presentation Attack Detection (PAD), tested by iBeta Quality Assurance (NIST-accredited):

A BPCER of 0.8% = 8,000 legitimate users rejected per million verifications. In January 2026, Yoti achieved iBeta L3 — the first company globally to do so (Biometric Update, January 2026). Always demand confirmation letters from ibeta.com.

Australian regulatory requirements

AUSTRAC and the AML/CTF Act 2006

AUSTRAC (Australian Transaction Reports and Analysis Centre) is Australia's anti-money laundering and counter-terrorism financing regulator. The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) and its Rules impose Know Your Customer (KYC) obligations on reporting entities — including banks, digital currency exchanges, remittance providers, and designated non-financial businesses.

AUSTRAC's guidance on digital onboarding recognises biometric liveness-verified selfie combined with electronic identity document verification as a compliant method for the customer identification procedures required under the AML/CTF Act. The 2024 amendments to the AML/CTF Act, extending obligations to professional service providers (lawyers, accountants, real estate agents) from March 2026, significantly increase demand for remote identity verification solutions.

ASIC (Australian Securities and Investments Commission) supervises financial services firms and has published updated guidance on digital financial services onboarding that references liveness verification as an acceptable component of KYC for AFS licensees. ASIC's company extract serves as the primary company identification document equivalent to Companies House in the UK.

Privacy Act 1988 and the Australian Privacy Principles (APPs)

Facial biometrics are sensitive information under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). The OAIC (Office of the Australian Information Commissioner) is the privacy regulator.

APP 3 (Collection of solicited personal information) requires that biometric data is collected only when reasonably necessary. APP 6 restricts use and disclosure beyond the original purpose. APP 11 requires reasonable security measures — including destruction of personal information when no longer needed for its purpose.

The Privacy Act reforms progressed by the Attorney-General's Department in 2024 propose strengthening protections for biometric data, aligning more closely with GDPR-style requirements including mandatory data breach notifications and enhanced consent requirements. Zero-retention of biometric templates after verification is best practice and may become mandatory under reformed legislation.

Key Australian identity documents: Australian passport, state/territory driver's licence (issued by state road authorities), and ImmiCard for non-citizens. The Tax File Number (TFN) is the key individual tax identifier, issued by the ATO — functionally equivalent to the UK National Insurance number. For entities, the ABN (Australian Business Number) is the primary identifier, issued by the ATO via the ABR.

eIDAS 2.0 cross-border context

Australian companies with EU operations must understand eIDAS 2.0 liveness requirements. Technical standard ETSI TS 119 461 v2 (February 2025) governs EU identity proofing. Australian companies accepting EU-issued EUDI Wallets as identity proof must ensure their liveness implementation meets ETSI TS 119 461 v2 requirements.

Common failure modes in Australian deployments

Lighting remains the top cause of false rejections. Back-lit environments — common in Australian offices with strong natural light — overexpose faces and distort texture analysis. Well-designed interfaces display a real-time lighting indicator.

Device variability affects rural and regional users on older budget devices with lower-quality front cameras. This disproportionately impacts remote communities and has inclusivity implications relevant to banks' obligations under the Australian Bankers' Association's Banking Code.

Active liveness confusion affects users from non-English-speaking backgrounds, who make up a significant proportion of Australia's population. First-attempt rejection rates reach 35% in unguided flows. Passive liveness eliminates this failure category.

Conversion impact: the biometric verification step causes 10–15% abandonment. Complete KYC flow drop-off reaches 40–68% without optimisation.

Integrating liveness detection into an Australian KYC process

An AML/CTF Act-compliant remote onboarding flow combines three layers:

1. Document verification — OCR and validation of Australian passport, state/territory driver's licence, or ImmiCard; cross-reference with VEVO for visa entitlement verification
2. Liveness detection + facial matching — PAD + IAD at sensor and pipeline levels; facial comparison between document and live face
3. Regulatory screening — AUSTRAC watchlists, OFAC SDN lists, UN sanctions, PEP screening, adverse media

Session binding is critical: systems must verify that liveness check and document capture belong to the same session to prevent split-session deepfake attacks.

CheckFile integrates all three layers in a single EU-hosted platform, ISO 27001 certified, with configurable Privacy Act 1988/APPs data handling. See our security page and pricing. For the broader automation framework, see our guide to automated verification.

Selecting a liveness detection solution for Australian compliance

FAQ

What is liveness detection?

Liveness detection is an anti-spoofing technology that verifies a live human face is present during identity verification — not a photograph, video replay, mask, or injected deepfake. It operates before facial recognition comparison and is a recognised component of compliant KYC under the Australian AML/CTF Act.

Does AUSTRAC require liveness detection?

AUSTRAC does not mandate a specific technology, but its guidance on digital onboarding recognises biometric liveness-verified selfie combined with document verification as a compliant method for customer identification procedures. The 2024 AML/CTF Act amendments expanding obligations to professional service providers increase demand for compliant remote verification.

Does liveness detection violate the Australian Privacy Act?

Not if implemented correctly. The Privacy Act 1988 and APPs require consent, purpose limitation, and data minimisation. Zero-retention of biometric templates after verification significantly reduces privacy exposure. Privacy impact assessments are recommended before deployment, and may be mandatory under the proposed Privacy Act reforms.

What is face liveness detection?

Face liveness detection and liveness detection refer to the same technology: an anti-spoofing check applied to facial biometrics, confirming the face belongs to a live person rather than a spoofing artefact.

What is the difference between active and passive liveness detection?

Active liveness asks the user to perform a real-time action (blink, turn head). Passive liveness analyses the face silently — no user action required. Passive is faster (under 300ms), causes significantly less abandonment, and is the industry standard for consumer-facing KYC in Australian fintech and banking deployments.