Level 3 biometric PAD tests are spiking, BixeLab offers guidance on interpretation

Level 3 evaluations of biometric presentation attack detection (PAD) technologies based on ISO/IEC 30107-3 are a relatively new development in the field, but their practical value is in catching attacks that organizations are already experiencing. This makes understanding the results of those tests and what they mean important, and a new paper published by BixeLab aims to help.

References to Level 3 PAD testing are showing up in discussions and documents related to procurement, certification and regulatory compliance. Biometrics providers appear to be paying increased attention to the details of how these evaluations are conducted, how to communicate about them and how to compare results.

The post on BixeLab’s website provides guidance on how to interpret Level 3 PAD tests, and governance considerations for organizations selling and deploying software for biometric liveness detection.

“As adoption increases, results are often compared, summarised, or communicated outside the conditions under which they were generated,” BixeLab explains in the post. “Clear interpretation of Level 3 evidence is therefore necessary to ensure that testing outcomes are used appropriately and in line with the standard’s intent.”

The test is undertaken according to a documented approach, a fixed policy on transaction decisions and a clearly defined set of presentation attack instruments. The results include an Attack Presentation Classification Error Rate (APCER) and Bona Fide Presentation Classification Error Rate (BPCER) representing the security and useability of the technology, respectively.

The specified presentation attack instruments, approach and implementation being tested provide the bounding for clear interpretation of the results, BixeLab explains.

The post goes on to place ISO 30107 in the context of the broader biometric risk lifecycle. ISO/IEC 20059 defines methodologies for assessing resistance to face morphing attacks during biometrics enrollment. This standard introduces the concept of Morphing Attack Potential (MAP) for explaining attack feasibility and potential impact.

The paper concludes by presenting BixeLab’s recent Level 3 evaluations of FaceTec and Aware as case studies. BixeLab also evaluated FaceTec’s biometric injection attack detection (IAD) when it tested the company to Level 3 in 2025, while Aware’s successful evaluation shows how assurance is built over time with iterative evaluations, according to BixeLab.

Article Topics

biometric liveness detection  |  biometric testing  |  biometrics  |  BixeLab  |  face biometrics  |  ISO/IEC 30107-3  |  Level 3 PAD testing  |  presentation attack detection