Can a recorded video of me trick an online identity check?
How video liveness detection and rPPG blood-flow analysis stop recorded video replay attacks from fooling online identity verification and KYC systems.
A recorded clip of your face, captured from a video call, lifted from social media, or screen-grabbed during a previous verification session, is one of the oldest tools in the fraudster's kit. The worry is reasonable: if a system only checks whether a face matches a document, a high-resolution replay played back to a camera looks almost identical to the genuine article. This is exactly the gap that modern video liveness detection is built to close. The discipline has matured well beyond the simple "blink now" prompts of a few years ago, and the question of whether a recorded video can defeat an identity check now depends almost entirely on what kind of liveness signal the verifier is measuring.
Injection attacks, in which fraudsters bypass the camera entirely to feed recorded or synthetic video into a verification pipeline, surged sharply through 2024, prompting biometric standards bodies to publish ISO/IEC 30107-4 in February 2024 specifically to profile presentation attack detection on mobile devices.
What video liveness detection actually verifies
Video liveness detection is the set of techniques a verification system uses to confirm that the face in front of the camera belongs to a living person who is physically present, rather than a photograph, a screen, a mask, or a recorded or synthetic video. The International Organization for Standardization formalizes this under ISO/IEC 30107-3, the Presentation Attack Detection (PAD) standard revised in 2023 to add metrics such as RIAPAR for more comprehensive evaluation of how systems behave under attack.
A recorded video defeats weak liveness because it already contains the motion that naive systems look for. If the check simply wants to see a head turn or a blink, a replayed clip supplies both. The defense, therefore, is not to look for motion at all, but to look for evidence that no recording can carry forward through a screen.
Researchers separate the problem into two attack families:
- Presentation attacks, where a recorded video is physically played back on a phone or monitor held up to the verification camera.
- Injection attacks, where the recorded or generated video is fed directly into the data stream using a virtual camera, bypassing the lens entirely.
The first leaves optical fingerprints such as screen glare, moire patterns, and bezel edges. The second leaves no optical trace at all, which is why detection has shifted toward physiological signals that a recording cannot fake on demand.
Comparing how each method handles a recorded video
| Detection method | What it measures | Recorded video replay | Injection attack | User friction |
|---|---|---|---|---|
| Motion challenge (blink, turn, smile) | Requested action on cue | Weak, replay contains the motion | Weak, video supplies the action | High, scripted steps |
| Texture and frame analysis | Pixel artifacts per frame | Moderate, catches screen replay | Weak against clean injected video | Low, passive |
| Optical artifact detection | Glare, moire, bezel | Strong against screen playback | Weak, no lens involved | Low, passive |
| Remote photoplethysmography (rPPG) | Pulse via skin-color change from blood flow | Strong, recordings lack a live pulse signal | Strong, signal must be biologically consistent | Low, fully passive |
The pattern is clear. Methods that depend on the user performing an action, or on the attack being routed through a real camera, leave openings that a recorded video or an injected stream can exploit. Methods that read an involuntary biological signal close those openings because the signal has to be generated, in real time, by living tissue.
How blood flow exposes a recording
Remote photoplethysmography, or rPPG, measures the tiny periodic changes in skin color that occur as the heart pushes blood through the capillaries just beneath the surface of the face. These shifts are invisible to the human eye but recoverable by a standard RGB camera. A genuine, present person produces a coherent pulse waveform spread across the facial regions where blood flow is strongest. A recorded video played on a screen does not. The screen emits its own light, compression flattens the subtle color variation, and the playback carries no live circulatory rhythm tied to the moment of capture.
This is why blood-flow analysis is resistant to replay in a way that motion checks are not:
- A recorded clip cannot generate a new pulse signal during the verification session.
- Screen playback and compression degrade or destroy the faint color signal rPPG depends on.
- The spatial distribution of the pulse across the face is hard to reproduce convincingly in synthetic media.
The approach detects a real pulse, no person, no signal. That principle is what makes it effective against recorded video, printed photos, 3D masks, and many deepfakes at once.
Industry applications for verification and KYC teams
Remote account opening
For banks and fintech fraud teams, the highest-value moment of attack is the new-account flow, where a fraudster needs to pass a one-time identity check using stolen documents and a recorded or synthetic face. Passive video liveness detection that reads blood flow runs in the background of a normal selfie capture, so it adds protection without adding the scripted steps that drive applicants to abandon onboarding.
Video KYC and call-center re-verification
KYC providers running live or recorded video sessions face both replay and injection risk. Because rPPG looks for a physiological signal rather than a scripted gesture, it can be layered onto an existing video KYC pipeline as an additional check that an injected stream cannot satisfy, even when that stream is a clean, high-resolution recording.
High-risk transaction step-up
When a payment or account change triggers a step-up check, the verifier needs confidence that the person re-authenticating is live and present. A blood-flow signal supplies that confidence passively, which matters when the alternative is repeatedly interrupting trusted customers.
Current research and evidence
The research community treats rPPG as a strong but not infallible tool, which is the honest position for any vendor to hold. A 2024 study published in Frontiers, titled "High-quality deepfakes have a heart," demonstrated that the most advanced deepfakes can inadvertently inherit or mimic pulsation signals from their source footage, meaning a naive global heart-rate check is no longer enough on its own. The same line of work, reported through biometric industry coverage in 2024 and 2025, found that the spatial distribution of blood flow across distinct facial regions remains far harder to fake than a single averaged pulse, keeping region-aware rPPG analysis valuable against sophisticated synthetic media.
A separate 2024 evaluation, "Applicability of rPPG-Based Deepfake Detection: Evaluating Heart Rate Estimation in Forensically Relevant Conditions," cautioned that lighting, camera quality, motion, and video compression all affect signal reliability, underscoring the need to combine physiological analysis with other passive checks rather than depend on it in isolation. The LivDet-Face 2024 competition continued to provide standardized datasets for benchmarking face PAD against print, replay, and 3D-mask attacks, giving the field shared ground truth for measuring progress.
The consistent finding across this body of work is that recorded-video attacks fail against physiological liveness far more reliably than against motion or texture checks, while the strongest defenses combine several passive signals so that no single weakness becomes a single point of failure.
The Future of video liveness detection
Three trends are shaping where video liveness detection goes next. First, standards are tightening: ISO/IEC 30107-4:2024 extended formal PAD testing to mobile devices, and certification refreshes against ISO/IEC 30107-3 are becoming a baseline expectation rather than a differentiator. Second, the attack surface is moving from the camera to the data stream, making injection-resistant signals like blood flow more important than optical artifact detection alone. Third, detection is becoming multi-layered by default, pairing physiological analysis with device and stream integrity checks so that a recorded video has to defeat several independent measurements at once, which it cannot do.
For verification vendors and KYC teams, the practical takeaway is that a recorded video can still trick a verification check that only watches for motion or matches a face to a document. It struggles badly against a system that insists on a live biological signal generated at the moment of capture.
Frequently asked questions
Can someone use a video from my social media to pass an identity check?
Against a basic system that only matches your face or asks for a blink, a clear recording can sometimes pass. Against video liveness detection that reads blood flow, the recording fails because it cannot produce a live pulse signal during the session.
What is the difference between a replay attack and an injection attack?
A replay attack plays a recorded video on a screen held up to the verification camera, leaving optical clues like glare and moire. An injection attack feeds the recording straight into the software using a virtual camera, leaving no lens-based clues, which is why physiological signals matter.
Is blink-and-turn liveness still secure?
Motion challenges are increasingly weak on their own because a recorded or synthetic video can contain the requested action. They are best used as one layer alongside passive signals that a recording cannot satisfy.
Can advanced deepfakes fake a pulse?
Research in 2024 showed that high-quality deepfakes can inherit a rough heart-rate signal from source footage, but the detailed spatial pattern of blood flow across the face remains very difficult to reproduce, which keeps region-aware rPPG effective.
Circadify is building toward exactly this challenge, applying blood-flow signal analysis so that recorded and synthetic video fail the one test they cannot pass: proving a living person is present. Verification vendors, banks, and KYC teams evaluating anti-spoofing options can request an enterprise security demo to see how physiological liveness fits into an existing identity pipeline.