Passive liveness detection explained
Passive liveness detection confirms a real, live person is in front of the camera from a single selfie, without asking them to blink or turn their head. It is the low-friction baseline control that lets genuine customers through in seconds while keeping printed photos, screen replays, masks, and injected video out.
Passive liveness detection is the control that confirms a live human is present at onboarding without asking the user to do anything. It is one layer of a broader defence covered in our deepfake detection in KYC guide, and it is the one most directly responsible for keeping onboarding fast. This explainer defines it, contrasts it with active liveness, sets out what it defends against, and explains how it is measured.
What is passive liveness detection?
Liveness detection answers a single question: is the face in front of the camera a real, live person, or a representation of one? Passive liveness answers it from a captured frame alone. The user takes a selfie, and the system analyses that image for the artefacts that distinguish a genuine live capture from a spoof, with no prompts, gestures, or challenges. From the customer's point of view there is no liveness step at all, which is exactly the point.
Passive vs active liveness
Active liveness asks the user to perform an action and infers liveness from the response. Common prompts include blinking, smiling, turning the head, or following a moving target. The action provides a signal, but it also adds friction, can confuse or exclude some users, and gives a determined attacker a known script to prepare against.
Passive liveness removes the prompt. Because there is nothing for the user to do, completion rates stay high, and because there is no scripted challenge, the attacker has less to rehearse. The trade-off is that passive detection has to do more analytical work on less explicit signal, which is why quality varies between vendors. In practice, strong stacks default to passive for the genuine-customer path and reserve active or step-up checks for sessions that already look risky, applying friction only where it is earned.
What passive liveness defends against
The primary target is the presentation attack: a fake shown to the camera. That includes a printed photograph, a photo or video replayed on a screen, a physical or digital mask, and a looped or pre-recorded video held up to the lens. In all of these the camera captures a real scene, but the contents of that scene are a representation rather than a live person, and passive liveness is the control trained to tell the difference.
There is a second, distinct threat that liveness alone does not fully address: the injection attack, where a synthetic feed is fed directly into the capture pipeline, bypassing the physical camera. Defending against injection requires checking the integrity of the capture itself, which is why a complete stack pairs passive liveness with dedicated injection-attack detection rather than relying on liveness in isolation. The distinction between presentation and injection is the single most important idea in this space, and we cover it in full in the deepfake detection guide.
How liveness detection is measured
Buyers should not take liveness quality on faith. Two public references matter. The ISO/IEC 30107 standard defines how presentation-attack detection is tested and reported, and is the common language for evaluating a liveness system. The NIST face recognition evaluation program benchmarks face-matching performance, which is the adjacent capability that confirms the live face matches the identity document.
A word of caution applies here. These frameworks provide a way to assess a vendor, but a vendor mentioning a standard is not the same as a vendor having been independently tested against it. Ask exactly what testing has been performed, by whom, and with what result, and treat alignment with a benchmark as a claim to verify rather than a certification to assume. BriteBase describes its face matching as engineered against these public benchmarks for this reason: the honest framing is alignment, not a certificate the firm does not hold.
Where passive liveness fits in the onboarding flow
Passive liveness sits at the very front of identity verification, at the moment of capture. The flow is straightforward: the customer takes a selfie, passive liveness confirms a live person, deepfake and injection detection screen out synthetic and injected media, document verification reads and cross-checks the identity document against the selfie, and screening clears the verified identity. Liveness is the first gate, and because it is passive, the genuine customer never feels it. The full picture of how these layers combine into a verification stack is on the identity verification software page.
FAQ
What is passive liveness detection?
Passive liveness detection confirms that a live person is in front of the camera by analysing a captured frame for the signs of a fake, without asking the user to perform any action. The user simply takes a selfie; the system decides whether it is a real, present human or a presentation or injection attack. Because it adds no steps, it protects onboarding conversion while defending against spoofing.
What is the difference between active and passive liveness?
Active liveness asks the user to do something, such as blink, smile, or turn their head, and infers liveness from the response. Passive liveness analyses a single captured frame without any user action. Passive is lower friction and harder for an attacker to script against, while active adds steps that can reduce completion rates. Many strong stacks default to passive and reserve active or step-up checks for risky sessions.
What attacks does passive liveness stop?
Passive liveness targets presentation attacks, where a fake is shown to the camera, such as a printed photo, a screen replay, a mask, or a looped video. Paired with injection-attack detection, it also helps defend against feeds injected directly into the capture pipeline. It is the baseline control that confirms a real human is present before identity is trusted.
How is liveness detection measured?
Liveness and presentation-attack detection are evaluated against public frameworks, most notably the ISO/IEC 30107 standard for presentation attack detection, and face-matching performance is benchmarked through the NIST face recognition evaluation program. These provide a common reference for assessing a vendor, but a buyer should confirm exactly what testing a vendor has undergone rather than assuming a certification.
Does passive liveness hurt onboarding conversion?
No, and that is its main advantage. Because the genuine customer only takes a selfie and is not asked to perform actions, passive liveness keeps onboarding fast and reduces drop-off compared with active checks. Risk-based step-up can be reserved for sessions that show warning signs, so friction is applied only where it is warranted.
Is liveness detection required for FINTRAC compliance?
FINTRAC does not mandate liveness detection by name, but Bill C-12 requires every compliance program to be reasonably designed, risk-based, and effective. For a firm that verifies identity remotely, liveness is a core part of showing that onboarding genuinely confirms a real person, which supports the case that the program is effective.
Sources
See passive liveness on a real onboarding flow.
Book a demo and we'll show you how BriteBase confirms a live person in seconds and logs it as examiner-ready evidence. No retainers. No hourly rates.