How to Add Liveness Detection to Online Onboarding
An architectural guide for integrating biometric liveness verification into remote onboarding flows to prevent synthetic media and presentation attacks.

The industrialization of synthetic media has structurally changed the security requirements for remote account opening. In the early days of digital banking, matching a user's selfie to a government-issued identification document was sufficient for identity proofing. Today, organized fraud networks deploy generative models and high-resolution physical artifacts to bypass standard facial recognition checks. For identity verification vendors and financial institutions, the primary security challenge is no longer just matching a face, but proving the physical presence of a living human behind the camera. Integrating biometric liveness verification into the online onboarding flow has transitioned from an optional security layer to a strict regulatory and operational necessity. This integration requires a precise understanding of capture modalities, biometric signals, and presentation attack vectors.
"Voice and video deepfake fraud attempts surged by over 1,300 percent in 2024, escalating from an average of one per month to seven per day. Within the financial technology sector specifically, deepfake identity cases rose by 533 percent between 2023 and 2024." , 2024 Security Intelligence and Fraud Report, Pindrop Research
Integrating biometric liveness verification into onboarding workflows
When identity platforms evaluate biometric liveness verification, the integration architecture dictates both the security threshold and the user conversion rate. The objective is to collect a biometric sample from a standard RGB camera, usually via a smartphone or laptop webcam, and analyze it for indicators of a presentation attack.
There are three primary architectural models for processing this video feed during onboarding: active challenge-response, passive pixel analysis, and passive physiological analysis (rPPG).
| Liveness Modality | Verification Method | Friction Level | System Vulnerabilities |
|---|---|---|---|
| Active Liveness | User performs prompted actions (e.g., blinking, smiling, turning head) | High | Susceptible to AI video manipulation, 3D masks, and replay attacks |
| Passive Pixel Analysis | Analyzes edge artifacts, lighting inconsistencies, and screen glare | Low | Defeated by high-quality deepfakes, printed photos, and screen injections |
| Passive rPPG Analysis | Detects real-time cardiovascular blood flow via optical skin variations | Low | Requires adequate lighting for optimal physiological signal extraction |
When planning an integration, engineering and fraud teams must evaluate several technical requirements to ensure a secure and frictionless user experience:
- SDK vs API Deployment: Client-side SDKs allow for frame-by-frame analysis and immediate environmental feedback (like prompting the user for better lighting), while server-side APIs offload processing but can introduce latency.
- Frame Rate and Resolution: Physiological liveness requires a consistent minimum frame rate to capture sequential cardiac cycles accurately across a continuous video feed.
- Device Fallbacks: Systems must gracefully handle low-light conditions by adjusting screen brightness or providing clear UI prompts for the user to move to a well-lit area before failing the session.
- Workflow Positioning: Verification checks should occur immediately after document capture to ensure continuous session integrity, preventing session hijacking between the ID scan and the face capture.
- Risk Engine Synchronization: Liveness scores should not exist in a vacuum; they must be ingested by a centralized risk engine that correlates the biometric data with device fingerprinting and network behavior.
Industry Applications
Different sectors face unique presentation attack vectors, requiring tailored integration strategies for their onboarding flows.
Retail banking and neobanks
Financial institutions face the highest volume of synthetic identity fraud. Fraudsters use deepfake video injection software to route synthetic camera feeds directly into the browser, creating identities that bypass standard Know Your Customer (KYC) checks. For banks, adding biometric liveness verification directly into the mobile banking application is standard practice. The system captures a brief video segment while the user positions their face within an overlay. By relying on biological signals rather than just pixel matching, banks can prevent automated account creation bots from scaling their attacks.
Identity verification platforms
Identity proofing vendors provide the infrastructure that other businesses rely on. These platforms integrate liveness checks as a core component of their API architecture. By utilizing passive physiological liveness, identity vendors can offer a frictionless experience to their end clients. This ensures that legitimate users complete the sign-up process without abandoning the session due to complex challenge-response prompts, maximizing conversion rates while maintaining rigorous security protocols.
Cryptocurrency and high-risk sectors
High-risk sectors like telecommunications (SIM swapping) and cryptocurrency exchanges experience coordinated attacks using printed masks and digital replay attacks. In these environments, liveness checks are deployed During initial account creation. For high-value transaction authorization and account recovery processes. A passive liveness check can run silently in the background while the user reads a disclosure or confirms a transaction, eliminating the need for step-up friction.
Current research and evidence
The shift toward physiological liveness is supported by extensive empirical research into remote photoplethysmography (rPPG). rPPG technology relies on the biological principle that cardiac activity causes microscopic changes in skin color, which are invisible to the human eye but highly measurable by standard digital sensors.
Researchers Ali Cherry, Aya Nasser, and Wassim Salameh evaluated the integration of deep learning models with rPPG signals in a 2024 study published in the journal Sensors. Their paper, "Real-Time PPG-Based Biometric Identification", demonstrated that advanced neural networks analyzing physiological data could achieve 99 percent accuracy in real-time environments. Because printed masks, digital screens, and AI-generated deepfakes do not possess a living cardiovascular system, they cannot produce the continuous, rhythmic optical variations expected from a live human subject.
This biological baseline is increasingly necessary as traditional pixel analysis falls behind generative capabilities. The 2024 Face Liveness Detection Competition (LivDet-Face), co-organized by researchers Lambert Igene and Stephanie Schuckers from Clarkson University alongside Sébastien Marcel from the Idiap Research Institute, provided an international benchmark for evaluating Presentation Attack Detection (PAD). The competition results indicated that while spatial analysis struggles against high-fidelity synthetic media and 3D silicone masks, physiological and temporal analysis methods maintain robust defense mechanisms.
As generative algorithms learn to produce flawless visual frames, security systems must rely on biological signals that cannot be digitally rendered. The findings from these academic benchmarks confirm that physiological verification is the most sustainable approach to remote onboarding security.
The future of liveness detection
The trajectory of identity verification suggests a complete departure from static visual checks and high-friction active challenges. Future integration models will likely rely entirely on continuous, passive biological monitoring. Instead of treating liveness as a discrete, isolated step in the onboarding flow, identity platforms will authenticate the user continuously throughout the entire session.
As processing power increases on edge devices, more of the biometric signal extraction will happen directly on the user's smartphone. This on-device processing will reduce server latency, cut cloud compute costs for vendors, and improve data privacy by ensuring raw video feeds never leave the device. Only the encrypted liveness score will be transmitted to the risk engine.
The arms race between synthetic media generation and presentation attack detection will persist. However, physiological analysis provides a definitive biological baseline that synthetic artifacts cannot replicate. Fraudsters can generate a perfect visual representation of a face, but they cannot simulate the physical properties of light interacting with human cardiac blood flow.
Frequently asked questions
What is the difference between active and passive liveness? Active liveness requires the user to perform specific physical actions, such as blinking, smiling, or turning their head. This adds friction to the onboarding process and can be defeated by modern deepfake technology. Passive liveness operates invisibly in the background, analyzing the video feed for depth, texture, or physiological signals without requiring any user interaction.
How does rPPG technology prevent deepfake attacks? Remote photoplethysmography (rPPG) measures the subtle optical changes in skin color caused by human blood flow. Deepfakes, digital replays, and physical masks lack a heartbeat and a cardiovascular system, meaning they cannot generate the biological signal that rPPG algorithms require to verify human presence.
Where should liveness checks be placed in the onboarding flow? The most secure implementation places the liveness check immediately after the user captures their identity document. This minimizes the time window for session hijacking and ensures the live, physically present person matches the individual depicted on the provided government credential.
How do environmental factors affect passive liveness detection? Poor lighting can obscure the micro-color changes required for physiological analysis. Modern integration workflows account for this by incorporating real-time feedback loops via the client-side SDK, adjusting the screen brightness of the device or prompting the user to move to a brighter environment before processing the final biometric sample.
For enterprise fraud teams and identity verification providers, staying ahead of synthetic media requires adopting biological authentication frameworks. Circadify offers specialized solutions for this sector, utilizing rPPG technology to analyze actual blood flow and detect advanced presentation attacks without introducing user friction. To explore how this technology integrates into your existing security stack, schedule an Enterprise security demo.
