EU research projects target face morph attacks threatening border, identity systems

The European Biometrics Association (EAB)’s recent morphing workshop highlighted two Horizon Europe research projects developing new defenses against face morph attacks targeting identity systems and border controls. Project EINSTEIN and the SafeTravellers project are working to improve morph attack detection (MAD) as generative AI makes facial image manipulation increasingly accessible.

Morph attacks, which blend multiple faces into a single image, can be used to obtain identity documents that may later authenticate more than one person. The threat is particularly relevant for passports, visas and digital identity systems that rely on facial biometrics as a primary trust anchor. As AI tools make creating realistic morphs easier, cheaper and more convincing, detecting manipulated facial images is becoming a critical component of border security, credential issuance and digital identity assurance.

The toolkit for creating face morph attacks has evolved rapidly, from traditional landmark-warping techniques to diffusion-based image generation. Advanced morph attack detection systems must therefore identify manipulated images produced by a wide range of methods while accounting for variations in image quality, capture environments and database diversity. As governments expand digital identity programs and biometric border controls, robust morph detection is becoming a critical layer of identity security.

Project EINSTEIN wants to make sure morph attacks aren’t spoiling ID databases

Project EINSTEIN, funded for three years under the Horizon Europe program, is focused on “innovating security in identity management and identity and travel documents for police and border authorities.” But a talk by Dr. Jonathan Boyle of the University of Reading focuses on detecting face morphs, and specifically looks at how “importing low quality or manipulated face images into ID databases can lead to security risks” like false identifications.

Project EINSTEIN looks for potential manipulation and checks the image quality of ID head shots. Its demo use case is its online ID issuance web app, powered by the Biometric Assessment Service (BAS), which performs the checks. It shows how the system might work when someone attempts to renew a passport.

A joint project from multiple research institutions, EINSTEIN has a modular architecture underpinning its system for D-MAD – differential morphing attack detection, which references an existing photo (versus single-image morphing attack detection ( S-MAD), which performs detection without external reference).

It’s looking for morphs created with a variety of algorithms, including Beier Neely, the AlyssaQ Face Morpher, StyleGAN2 and landmark-based Face Morphing. It interrogates image specifics like encoding, compression, resolution and colour space.

In general, it aims to exploit the strengths of select D-MAD models and avoid their weaknesses, creating a kind of fusion model.

In an ideal world, Boyle says, existing algorithms would all have S-MAD applied, to ensure the data hasn’t already been corrupted by face morphs. While that is impractical, with morph attack tools now easy to find and use, future datasets will benefit from testing on images to ensure database integrity.

Explainability a necessary complement to MAD, quality checks

Boyle highlights how explainability is becoming more important for biometric endeavors, as governments ramp up regulatory and compliance pressure. He cites it as one of three key ingredients for trustworthiness, which also include morphing attack detection and quality checks.

In addition to compliance, there is an operational need, in that one must know how the tool is influencing decisions, and a legal one, in that it must be defensible in court. And there is the question of public trust, which requires explanation. Stakeholders, says Boyle, “need more than just the metrics.”

Meanwhile, “tools and frameworks for D-MAD explainability barely exist yet.” He showcases a  “demorphing” slider that shows the transformation of an image using morphing algorithms, from input to attack. “Sometimes it’s not necessarily fully explaining the algorithm,” he says. “If we can find different ways to show the data, that can help, as well.”

Boyle says EINSTEIN has produced a usable workflow addressing the challenges of quality, explainability and evolving attack vectors at TRL 6. The team will continue to develop and refine the algorithm until its funding expires at the end of 2026.

SafeTravellers experiments with morphing method

SafeTravellers focuses on using multi-modal biometrics for identification, to help ease pressure on border management in Europe. It hopes to strengthen security at borders, improve productivity and reduce friction for EU citizens.

The project, which has piloted in four environments (land, sea, airports and rail), leverages pre-enrolment for travelers before transit, fraud-resistant digital travel credentials, and privacy-preserving measures for sharing biometric data. The core idea, according to Dr. David Fischinger of the Austrian Institute of Technology, is to “shift identity verification before the border and make crossing smoother while still increasing security.”

The Austrian Institute of Technology’s presentation digs into the SafeTravelers project’s morph detection activity. Justin Ilyes walked through the process of curating passport image datasets and generating face morphs, while Davide Antonutti detailed the project’s work on morph attack detection in both S-MAD and D-MAD scenarios. He also presented FusionMAD, a dual-branch detection framework designed to identify both landmark-based and deep learning-generated morphs using contrastive language-image pre-training (CLIP).

“We know that there is a significant difference between landmark-based and deep learning-based morphs,” says Antonutti. Landmark-based morphs are more likely to show obvious artifacts. “In contrast, the deep learning base models often produce global inconsistencies that are difficult for the human eye to detect.” The goal is to develop coverage across the spectrum.

SafeTravellers is also modifying its “Siamese architecture” for D-MAD, to address challenges with the method, such as demands on computation and low-quality captures.

Together, the EINSTEIN and SafeTravellers projects illustrate how morph attack detection is evolving from a niche research area into a core component of identity security. As governments expand digital identity programs, online passport services and biometric border controls, protecting facial image integrity is becoming as important as verifying the identity itself.

Article Topics

biometrics research  |  EAB  |  EAB 2026  |  explainability  |  face biometrics  |  face morphing  |  facial recognition  |  morphing attack  |  Morphing Attack Detection (MAD)  |  Project EINSTEIN  |  SafeTravellers