Identity & AccessCyber SafetyPress Release

3DiVi Introduces Four-Layer Defence Strategy Against Face Biometric Attacks in 2FA, MFA Systems

Highlighting a Multi-Layered Defence Strategy to Make Fraud Difficult, Costly, and Ultimately Not Worthwhile

As face authentication becomes a standard for identity verification—from unlocking smartphones to enabling fast, secure logins and transactions across banking, FinTech, government services, healthcare, and more—the threat landscape is evolving just as rapidly. Fraudsters are increasingly targeting face-based two-factor (2FA) and multi-factor authentication (MFA) systems with spoofing attempts. To counter these risks, 3DiVi, an international computer vision developer, highlights a multi-layered defence strategy designed to make fraud difficult, costly, and ultimately not worthwhile.

It should be noted, though, that no single solution can stop every attack; the most effective protection comes from combining complementary countermeasures across four key categories:

1.  Presentation Attack Detection

Presentation Attack Detection (PAD) systems rely on Artificial Intelligence (AI) and Machine Learning (ML) to distinguish between a live person and a spoofed face to ensure authenticity.

Liveness Detection = Real vs. Fake

Liveness detection is a key component of PAD systems. It checks for human-specific traits, using various methods to verify that the person is alive. Active controls, such as asking the user to move their head or place an object in front of their face, help defeat static videos or deepfakes, making fraud much harder. Tracking eye movements adds another challenge for fraudsters, as these are impossible to replicate in a recording.

More Signals, More Accuracy

The more data the system has, the harder it is for fraud to slip through. By checking texture patterns to detect masks or analysing facial movements, PAD systems improve fraud detection accuracy without compromising user experience.

Hybrid Systems = Better Protection

While PAD is a widely used countermeasure, human oversight is still essential. In complex situations such as coercion, hybrid approaches combine AI-driven detection with human intervention to ensure the system responds appropriately. Regular updates to the system’s database are also crucial to adapt to new threats and verify the algorithm’s performance.

2.  Environmental Controls

In face authentication, what is around the face matters too. Environmental controls help secure the technology, devices, and conditions where identity verification happens—because attackers do not just go after faces, they go after weak setups.

High-Quality Media = High-Security Assurance

Low-quality photos and videos can obscure attack attempts, making it harder to detect fraud. By checking bandwidth and setting minimum quality standards, you ensure that the data captured for identity verification is crystal clear and fraud has nowhere to hide.

Dedicated Auth App + Phone Accelerometer

Auth apps check device integrity, prevent video injections, and ensure the authentication is happening live. Mobile devices can also have built-in sensors, such as accelerometers, to add one more layer of security by detecting any unusual movement or manipulation.

Metadata Does Not Lie

Lastly, fraudsters repeat what works. Track metadata such as IPs, geolocations, timestamps, and VPN usage to spot red flags before they become full-blown attacks.

3.  Organisational Controls

Following industry standards such as ISO/IEC 30107 for attack detection methods and ISO/IEC 27001 for information security management requirements keeps systems resilient against emerging threats.

  • Give Operators the Green Light to Intervene
  • Allow operators to suspend verifications if fraud is suspected.
  • Randomly assign them to verification tasks to reduce predictability.
  • Provide ongoing training on fraud detection and social engineering.
  • Monitor operator activity and ensure secure, organised workstations.
  • Reward operators who spot fraud.

Risk-Based Strategy

Adopting a risk-based approach helps organisations prioritise the most critical threats—both current and emerging. Governments and institutions can further strengthen this approach by offering external, impartial testing, such as the National Institute of Standards and Technology (NIST) for 2D facial recognition. However, the industry still lacks a standardised way to evaluate how well liveness detection stands up to real-world attacks such as photo and video injection. That is a blind spot worth addressing.

4.  Process Management

Remote authentication works best when performance is monitored, responsibilities are clear, and systems are tested as though they are under attack—because one day, they will be.

A “security by design” mindset ensures resilience from the ground up. Key measures include:

Supplementing Evidence: If facial data is not enough, allow fallback options such as utility bills or bank statements to resolve ambiguity without compromising security.

  • Clear Roles and Responsibilities: Everyone involved—users, operators, and service providers—should understand their duties and limits.
  • Real-Time Interaction: Use real-time interaction where trust matters most, but allow background checks to handle the rest efficiently.
  • Behavioural Checks: Look for signs of coercion or lack of understanding to confirm the user is acting voluntarily.
  • Session Recording: Capture and securely store video, audio, images, and metadata, following GDPR and privacy laws.
  • User Participation: Require applicants to speak or perform actions during verification for added assurance.
  • Randomisation: Include spontaneous actions such as turning the head to prevent scripted responses. Update these regularly to stay ahead of fraud tactics.
  • Breakthrough Tests: Simulate real-world attack scenarios to uncover weak spots—technical or human.

3DiVi Looks Ahead

“We’re committed to the idea that true security begins with a robust, multi-layered defence—built not on the client side, but deep within the core of the face authentication vendor’s technology stack,” the company explains. “Our 3DiVi BAF platform, for instance, combines NIST FRVT top-ranked face recognition with advanced liveness and deepfake detection, alongside real-time user session monitoring, providing strong anti-spoofing safeguards across industries.”

As face authentication becomes an essential component of digital security, organisations must acknowledge that no single countermeasure can fully prevent attacks. By categorising security measures and continuously adapting to emerging threats, businesses can develop resilient authentication systems that protect users, safeguard operations, and support scalable growth—while remaining compliant with global security standards.

CSA Editorial

Launched in Jan 2018, in partnership with Cyber Security Malaysia (an agency under MOSTI). CSA is a news and content platform focusing on key issues in cybersecurity in the region. CSA is targeted to serve the needs of cybersecurity professionals, IT professionals, Risk professionals and C-Levels who have an obligation to understand the impact of cyber threats.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *