Biometric face morph attack detection breakthroughs offer border security hope

Morphing attack detection (MAD) was a major theme of the European Association for Biometrics’ (EAB’s) workshop on live enrollment last year, and as AI makes sophisticated biometric spoof attacks more inexpensive and widely available, the subject has graduated to a full multi-day examination.

Dr. Annalisa Franco of Italy’s University of Bologna hosted the first half of a two-day workshop on the state of the art and outlook for biometric face morphing on Tuesday.

Morphs and facial recognition improve with training, but not border guards

Face morphing attack image creation has evolved from landmark warping to diffusion synthesis, Kiran Raja of the Norwegian University of Science and Technology (NTNU) explained to open the workshop.

Landmark-based approaches using Delaunay Triangulation and Affine transformations can leave behind artifacts that are visible on close inspection. Post-processing can clean these up, but only to a certain extent. GANs have similar drawbacks, but Raja and his research associates have found that attackers can use diffusion models to generate attack images that do not have the same flaws.

Diffusion morphs are not perfect, but they are the most difficult to detect, reaching up to 99.8 percent in Raja’s tests, and therefore should be included in training data.

Raja went on to describe different morph attack image creation techniques and their relative effectiveness.

David Robertson of the University of Strathclyde in Scotland introduced the concept of familiar or unfamiliar face recognition. These terms describe how people can identify the same person in widely varying photos, if they know them, and yet fail at the much simpler task of matching a person standing in front of them to, or differentiating them from, a photo.

He also shared the results of a study which showed that training people on what morph attacks are made only a small difference in their rate of spotting passport fraud. Untrained observers accepted just over two-thirds of 50/50 morphs as matches for the fraudster, which improved by only 10 percent with sensitization. Other studies have shown that occupational doesn’t provide an advantage over these members of the public, either.

A better way to enable border official to catch morphs, therefore, is to select people who have natural talent for unfamiliar face recognition – super-recognizers — to be the one standing at the front of the line.

Franco shared her research into the resistance of biometric systems to morphing attacks. This resistance is measured with the metric Morphing Attack Potential (MAP), which is described in ISO/IEC 20059:2025.

The metric measures the number of probe images (recognition attempts) and number of biometric systems that will match them with the morphed reference. The result is a table, with reference images that will match the most probes on the most systems posing the greatest threat.

In its early stages, the research indicates that facial recognition systems are getting better at detecting morph attacks, but the attacks are evolving as well, and the challenge remains quite serious.

MAD lessons

To address that problem head-on, single-image MAD can be used during the receipt of the individual’s photo by the organization that issues the ID document, while both single-image and differential MAD can be used at the point of verification, says Marija Ivanovska of the University of Ljubjana, Slovenia.

S-MAD is inherently difficult, however, with no reference image, evolving attack generators, operational image variability and the high cost of false positives. Classic approaches to MAD tend not to generalize effectively. Ivanovska’s team developed a method of creating the kind of evidence that face morphs leave without creating the morphs themselves in order to improve model training.

They found the artifacts and patterns created by the SelfMAD model improved generalization and robustness to high-quality morph attacks.

D-MAD can use the presence of a reference image to look for cross-image inconsistencies, local region matching and other signs of manipulation.

Raul Ismayilov of the University of Twente presented the D-MAD method Face Demorphing, which aims to reconstruct the accomplice of the criminal attempting to use the morph for document enrollment or to cross a border. He has worked on the SFDemorpher model, using a combination of synthetic and real data, morphs and bona fide images to generate images as similar as possible to those of the subject ID document.

Nicolo Di Domenico of the University of Bologna expanded the conversation to short videos captured like those captured by some automated border control gates. Video-based MAD, or V-MAD, uses the additional probe data to reduce the weight of or eliminate lower-quality images, which are known to pose problems to MAD algorithms. A V-MAD competition at IJCB 2026 drew 24 valid submissions. The results were promising, but Di Domenico says more large-scale datasets are needed.

MAD systems that continually learn as more biometric data becomes available are possible, but typically they are prone to catastrophic forgetting, Guido Borghi of the University of Modena and Reggio Emilia explained. A distributed model training approach in which each new piece of data is deleted before the updated model is shared offers a privacy-compliant way out of this trap, according to Borghi.

Wednesday’s workshop sessions will delve into Horizon Europe Research Projects on MAD and public benchmarks.

Article Topics

biometrics  |  biometrics research  |  EAB  |  EAB 2026  |  face biometrics  |  face morphing  |  facial recognition  |  morphing attack  |  Morphing Attack Detection (MAD)