This paper provides an interpretive overview of ISO/IEC 30107-3 Level 3 Presentation Attack Detection (PAD) evaluations. It is intended to support assurance, governance, procurement, and regulatory stakeholders in understanding how Level 3 PAD results should be interpreted and used.
ISO/IEC 30107-3 Level 3 PAD evaluations are increasingly referenced in procurement, assurance, and regulatory contexts. As adoption increases, results are often compared, summarised, or communicated outside the conditions under which they were generated. Clear interpretation of Level 3 evidence is therefore necessary to ensure that testing outcomes are used appropriately and in line with the standard’s intent.
Level 3 testing documents how a biometric system responds when realistic and higher effort spoofing attempts are used, based on a structured and repeatable testing process.
Presentation Attack Detection (PAD) testing under the ISO/IEC 30107 series examines system behaviour at the point of biometric capture, where artefacts or altered biometric characteristics are presented with the intent to interfere with normal system operation. The standard provides a common framework for defining attack types, structuring evaluations, and reporting results in a way that supports assurance, governance, and risk-informed decision-making.
The above laboratory demonstration video illustrates elements of BixeLab’s PAD testing environment, including representative mounting, capture instrumentation, and AI-based workflows. The video is illustrative only and does not represent test results, system performance, or resistance to all attack types.
What Level 3 represents
Under ISO/IEC 30107-3, Level 3 evaluations are conducted using attack instruments that reflect increased attacker effort, skill, and resources. These instruments are deliberately constructed and presented to explore how the evaluated implementation behaves when faced with higher-potential attack scenarios.
The outputs of a Level 3 evaluation consist of PAD performance metrics, including Attack Presentation Classification Error Rate (APCER) and Bona Fide Presentation Classification Error Rate (BPCER), derived from a documented test approach, a fixed decision policy, and a clearly defined set of presentation attack instruments.
These results describe observed system behaviour for the evaluated configuration and attack set.
What the results provide
Level 3 PAD results provide a measurable characterisation of system behaviour within a defined threat envelope. They make explicit how a system responded to the selected attack instruments and how often bona fide users were impacted under the same test conditions.
In line with ISO/IEC 30107-3, these results are bounded by the specific attack instruments, test approach, and implementation under test. This structure supports clear interpretation of outcomes and their appropriate use in assurance, procurement, and governance contexts.
Position within the broader biometric risk lifecycle
ISO/IEC 30107 focuses on presentation attacks that occur during biometric capture. ISO/IEC 20059 extends lifecycle coverage by defining methodologies for evaluating resistance to morphing attacks during enrolment, where manipulated biometric images may be submitted to support multiple-identity attacks.
ISO/IEC 20059 introduces Morphing Attack Potential (MAP) to characterise the feasibility and impact of morphing attacks within defined issuance or registration scenarios. Used together, ISO/IEC 30107-3 and ISO/IEC 20059 support a layered understanding of biometric risk across both enrolment and presentation stages of an identity system.
Case study: Level 3 PAD evaluation in practice (FaceTec)
In October 2025 BixeLab conducted an ISO/IEC 30107-3 Level 3 PAD evaluation of the FaceTec Mobile and Web SDK implementations. The evaluation applied a defined set of Level 3 presentation attack instrument species under controlled laboratory conditions, using a documented decision policy and test approach aligned with ISO/IEC 30107-3 reporting requirements.
The assessment produced transaction-level and user-level PAD metrics and documented system behaviour across both attack and bona fide presentations. The resulting evidence provided a structured, standards-aligned characterisation of PAD performance for the evaluated configurations, suitable for assurance, governance, and technical risk discussions.
Case study: PAD evaluation across multiple assurance levels (Aware)
BixeLab has conducted multiple ISO/IEC 30107-3 PAD evaluations for Aware, spanning different evaluation levels and deployment contexts.
These evaluations examined the behaviour of Aware’s face-based PAD implementation under test conditions with increasing attack potential, using defined presentation attack instrument species and documented decision policies aligned with ISO/IEC 30107-3 reporting requirements.
Earlier evaluations focused on lower-effort presentation attacks representative of common spoofing techniques, producing metrics that characterise baseline PAD behaviour and usability impacts under controlled conditions. Subsequent evaluations extended coverage to broader attack instrument sets and increased test depth, supporting a more comprehensive understanding of PAD behaviour across realistic operational scenarios.
Together, these assessments illustrate how ISO/IEC 30107-3 evaluations can be applied iteratively to build assurance over time, with each evaluation level contributing a distinct and interpretable view of system behaviour within its defined scope.
When Level 3 evidence is typically sought
ISO/IEC 30107-3 Level 3 evaluations are typically commissioned where organisations require formally documented evidence of biometric system behaviour against higher-potential presentation attacks. Common drivers include internal assurance programs, ecosystem or partner review, regulatory engagement, and risk-informed procurement.
Effective Level 3 evaluations are shaped by careful scoping. Early alignment on threat assumptions, presentation attack instrument relevance, test constraints, and evidence expectations enables ISO/IEC 30107-3 to deliver interpretable and use-context-appropriate outcomes.
About the authors and evaluation context
BixeLab is an independent, accredited biometric testing laboratory conducting evaluations aligned with international standards, including ISO/IEC 30107-3 and ISO/IEC 20059. The case studies referenced in this paper are drawn from completed ISO/IEC 30107-3 evaluations conducted under accredited quality management systems.
Stay Connnected
This paper is provided as a standards interpretation and assurance reference. For further information on ISO/IEC 30107-3 Level 3 PAD evaluations, contact info@bixelab.com.