Attacks and Vulnerabilities

Helping manage risk in biometric systems through assessing vulnerability to attack.

BixeLab provides independent testing and evaluation of vulnerabilities of biometric systems to presentation and injection attacks, according to international standards and frameworks.

Our services assess both capture device and algorithmic defences against such attacks, in alignment with a range of relevant standards and framework requirements, and across all biometric modalities.

What Are Biometric Vulnerabilities?

Separate to their performance characteristics such as accept and reject rates, biometric systems can be vulnerable to attacks in which a person tries to present biometric data from another as their own. Two of the most significant areas of vulnerability are to presentation attacks and injection attacks. Such attacks can occur at biometric enrolment, biometric verification, or both.

Presentation Attacks

Presentation attacks involve a person attempting to show, play, or present biometrics from a different person to the biometric sensor. This might be a silicone copy of a finger for a fingerprint reader; a deepfake video of a person’s face shown on a tablet device for a face recognition eIDV system, replaying a recording of someone speaking for voice biometrics, or any of several other examples.

Injection Attacks

Injection attacks use specifically digital attack mechanisms and aim to cause this digital material to enter the biometric system without going via the intended sensor – by injecting it into the system somehow. Such attacks are often harder to mount, because of the need to bypass the desired sensor; however, they can also be harder to detect.

Most biometric systems include detection methods for presentation attacks; and injection attack detection is increasing in importance – especially in remote eIDV applications such as those used in customer onboarding processes.

Other classes of attacks include morphing the attributes of several people together, usually to attempt to confuse a biometric system into misrecognising multiple people as one.

Benefits of Testing for Vulnerabilities

Operational Readiness

Ensure systems function properly in the actual environments where they are deployed.

Regulatory Assurance

Meet technical standards and framework requirements for resistance to attack in key use scenarios.

Build Public Confidence

Deliver public services with independent assurance that identity is being securely managed.

What Can Be Tested for Vulnerabilities?

All biometric modes, and document capture processes

All capture mechanisms, especially when done remotely and unsupervised

Device impacts on vulnerability detection – whether specific devices exhibit undesirable capture properties (especially where these are user-provided)

Interaction with demographic characteristics – sometimes, these impact performance of detection techniques

Capability of human identity resolution personnel in detecting attacks, for certain modes

Conformance to ISO/IEC 30107-3 testing standards

Our Capabilities

As one of only three NVLAP (Lab Code: 600301-0) accredited laboratory’s in the world, BixeLab offers trusted expertise in real-world testing and assurance relating to vulnerabilities in biometric systems.

Our services include:

  • Environmental and field testing of biometric access devices

  • Spoofing resistance and liveness validation / Presentation Attack Detection

  • Injection Attack Detection

  • Throughput and user experience assessment

  • Advisory on deployment strategies and failure mitigation

  • Risk assessment for mission-critical systems

  • Many attack types – simple copies, deepfakes, morphs, synthetic body parts, etc

  • Template Protection testing

  • Training support via BixeAcademy

Why Choose BixeLab?

Q: Can you simulate real-world environments for testing?

Yes. We conduct laboratory and field testing under variable lighting, temperature, and usage scenarios to match your deployment conditions.

Q: Can you test for AI-generated attacks?

Of course. Especially for digital services applications, deepfake media attacks on face and voice systems are of significant importance and part of BixeLab’s typical testing regime.

Q: What types of clients use this service?

Government border agencies, retailers, police agencies, digital identity users, critical infrastructure operators, and system integrators rely on our assurance services.

View FAQs & Help Centre
Expression of Interest for BixeLab Services