The Myth of ‘Good Enough’ Liveness Detection - And Why It Will Cost You

There is a version of liveness detection that most Fintechs have deployed. It asks the customer to blink. Or smile. Or turn their head left. It checks that a face is present in the camera frame and runs a basic spoof check against a static photograph. It passes. Onboarding continues. 

This is liveness detection that was adequate in 2019. It is not adequate in 2025. 

The threat environment has changed fundamentally. The tools available to fraudsters have changed fundamentally. And the regulatory framework governing liveness and Video KYC in India has been updated through the RBI KYC Master Directions (updated August 2025) and the V-CIP guidelines embedded in the KYC framework since 2020 and updated through successive circulars. 

This article explains what ‘good enough’ liveness detection actually gets wrong, what the current threat landscape looks like, what the RBI now requires, and what a genuinely robust liveness architecture looks like for a Fintech operating in 2025 and beyond. 

1. What ‘Good Enough’ Liveness Detection Actually Means 

Most Fintechs that describe their liveness detection as strong or compliant are running one or more of the following implementations: 

Active Liveness with Gesture Prompts 

The system asks the customer to perform a visible action: blink, smile, nod, or turn their head to a specific angle. The camera captures the movement and confirms that the face on screen is responding to a live prompt. 

This was the dominant approach for several years. The RBI FAQ on KYC (June 2025) explicitly states that making specific facial gestures such as blinking of eyes, smiling, or frowning is not mandatory for a liveness check, and that Regulated Entities must take due cognizance of the special needs of customers. This is a regulatory signal that gesture-only active liveness is no longer sufficient on its own. 

Single-Frame Passive Liveness 

The system analyzes a single image or short video clip to determine whether the face presented is a live person or a printed photograph, screen display, or 3D mask. It performs well against basic presentation attacks but not against injection attacks, where a synthetic video stream is fed directly into the authentication pipeline at the software layer, bypassing the physical camera entirely. 

Face Match Without Liveness 

Some implementations run a face match between the onboarding selfie and the ID photograph without a separate liveness check. This confirms the face matches the document but does not confirm the person is alive and present. A high-quality printed photograph of the ID holder, held up to the camera, can pass a face match without liveness. 

The Compliance Gap in Gesture-Only Liveness 

The RBI V-CIP guidelines require that liveness detection must function with a high degree of accuracy and must be capable of detecting spoofing. The RBI FAQ (June 2025) clarifies that gestures are not mandatory - meaning an implementation that relies exclusively on gesture compliance without underlying spoof detection does not meet the full intent of the RBI requirement. Gesture compliance and spoof detection are not the same thing. 

2. The Threat Landscape That Has Made ‘Good Enough’ Obsolete 

The reason ‘good enough’ liveness detection is no longer adequate is not a regulatory opinion. It is a documented fraud reality. The tools available to fraudsters have undergone a step change in sophistication, availability, and cost since 2022. 

Presentation Attacks: The Traditional Threat 

A presentation attack involves presenting a fake biometric to the physical camera: a printed photograph, a phone screen displaying a video, or a 3D mask. Traditional liveness detection was designed primarily to defend against these attacks, and it performs reasonably well at this layer. 

Injection Attacks: The Fastest-Growing Threat Vector 

An injection attack bypasses the camera entirely by injecting a synthetic or pre-recorded video stream directly into the authentication pipeline at the software layer. The liveness check receives what appears to be a live camera feed, but is actually a generated or replayed video. 

According to the iProov Threat Intelligence Report 2025, Native Virtual Camera attacks - the primary injection attack vector - surged 2,665% in 2024, driven partly by native camera attack tools appearing in mainstream app stores. Virtual camera software requires no hardware and can be deployed by a non-technical fraudster. A standard single-frame passive liveness check performs poorly against injection attacks because the injected stream has already been processed to pass frame-level checks. 

Face Swap Deepfakes: Real-Time Identity Impersonation 

Face swap technology allows a fraudster to replace their face in a live video stream with another person’s face in real time, synchronized to actual expressions and movements. 

According to the iProov Threat Intelligence Report 2025, Face Swap attacks surged 300% in 2024 compared to 2023, with threat actors specifically shifting focus to systems using liveness detection protocols. The iProov 2024 Report documented 127 face swap tools, 91 virtual cameras, and 10 emulators in active circulation. This is the attack vector that gesture-based active liveness is most poorly equipped to defend against: the face on screen responds correctly to prompts because the face swap runs in real time. 

Deepfake-Assisted Synthetic Identity Fraud 

Synthetic identity fraud combines real data such as a valid PAN number with a fabricated face or documents. Generative AI tools can produce photorealistic identity photographs not sourced from any real person, making reverse image search checks ineffective. The CKYCRR 2.0 biometric de-duplication layer addresses this at the registry level after onboarding. The first-line control is the liveness layer at the Fintech’s own onboarding step. 

Source Note on Fraud Statistics 

Native Virtual Camera +2,665% and Face Swap +300% figures are from the iProov Threat Intelligence Report 2025, published February 27, 2025, based on iProov’s Security Operations Center (iSOC) live attack data. 

3. What the RBI Actually Requires: Reading the V-CIP Guidelines Correctly 

The RBI’s requirements for liveness detection are set out in the V-CIP (Video Customer Identification Process) framework embedded in the KYC Master Directions (updated August 14, 2025). Here is what the RBI framework actually requires: 

- The V-CIP application must detect face liveness and spoofing, and conduct a face match with a high degree of accuracy. This is a direct technical specification, not aspirational language. 

- Regulated Entities can use appropriate artificial intelligence technology to ensure that the V-CIP is robust. This is explicit RBI permission and encouragement to deploy AI-based liveness and spoof detection. 

- The V-CIP must detect IP addresses from outside India or IP spoofing and prevent connection with such addresses. This directly targets injection attacks at the network layer. 

- Any case of forged identity detected through V-CIP must be reported as a cybersecurity event under the applicable RBI cybersecurity guidelines. A liveness failure resulting in detected fraud is a reportable regulatory event, not just a fraud case to reverse. 

- The V-CIP technology infrastructure must be regularly upgraded for security purposes based on experience with forged identity cases. This is a mandatory ongoing update requirement, not a one-time build standard. 

- V-CIP applications must undergo Vulnerability Assessment, Penetration Testing, and Security Audit periodically by suitably accredited agencies. CERT-In empaneled auditors are the relevant standard. 

The RBI FAQ on KYC (June 2025) confirms: facial gestures such as blinking, smiling, and frowning are not mandatory for a liveness check, and REs must take due cognizance of the special needs of customers. This clarification does not lower the fraud detection standard. It clarifies that passive liveness is acceptable provided it meets the high accuracy and spoof detection requirements. 

Key Regulatory Clarification: Gestures Are Not the Standard 

The RBI FAQ (June 2025) statement that gestures are not mandatory is often misread as relaxing the liveness requirement. It does not. Passive liveness is acceptable in place of active gesture prompts, provided the underlying technology meets the high accuracy and spoof detection requirements. An implementation without gesture prompts but also without robust passive liveness and anti-spoofing is non-compliant. 

4. The Four Layers of a Robust Liveness Architecture 

A liveness architecture that meets the current threat environment and RBI requirements is not a single check. It is a layered system where each layer addresses a different attack vector. 

Layer 1: Passive Liveness Detection 

Passive liveness analyzes the video stream in real time without requiring any action from the user, examining micro-movements, skin texture, depth cues, and temporal consistency across frames. It meets the RBI’s clarification that gestures are not mandatory and is more accessible for customers with mobility or facial limitations. AIFISE’s Face Match solution incorporates passive liveness detection as part of the V-CIP onboarding flow. 

Layer 2: Injection Attack and Virtual Camera Detection 

Injection attack detection operates at the camera input level, verifying that the video stream originates from a genuine physical camera device rather than a virtual camera driver or replayed file. Camera forensics examines metadata signatures, sensor noise patterns, and frame-level anomalies absent in injected streams. The RBI’s requirement that V-CIP must detect and block IP spoofing maps directly to this layer. 

iBeta Level 2 PAD certification under ISO 30107-3 evaluates a liveness system’s resilience against both presentation and injection attacks. NIST biometric evaluations, while rigorous for face recognition accuracy, do not assess injection attack resilience. Relying on NIST ranking alone does not confirm injection attack protection. 

Layer 3: Deepfake and Face Swap Detection 

Deepfake detection analyzes the video stream for artifacts characteristic of AI-generated content: compression patterns from generative models, temporal inconsistencies between facial micro-movements and background motion, and boundary artefacts at the face perimeter in face swap implementations. Per the iProov 2025 Report, nearly 24,000 users in crime-as-a-service networks are now selling attack technologies, and over 115,000 potential attack combinations are possible from just three common tools. This layer specifically defends against face swap attacks that bypass active gesture checks. 

Layer 4: Document Authenticity and Face Match 

Liveness confirms the person is present. It does not confirm identity matches the claimed document. A complete V-CIP architecture includes document authenticity verification and a calibrated face match. The RBI KYC Master Directions explicitly mandate face match as a companion control to liveness. AIFISE’s Video KYC solution combines liveness, face match, and document verification in a single V-CIP compliant workflow. 

5. Active vs. Passive Liveness: What the RBI’s Clarification Actually Changes 

What Changed 

The RBI FAQ on KYC (June 2025) explicitly states that specific facial gestures such as blinking, smiling, and frowning are not mandatory for a liveness check, and that REs must take due cognizance of customers with special needs. 

What Did Not Change 

The requirement for spoof detection with a high degree of accuracy. The requirement to detect and block IP spoofing. The requirement for regular technology upgrades based on forged identity experience. The obligation to report forged identity as a cybersecurity event. 

What This Means in Practice 

A Fintech that removes gesture prompts and replaces them with a passive liveness system that meets the accuracy and spoof detection standard is fully compliant and more secure. A Fintech that removes gesture prompts without replacing them with equivalent passive liveness and anti-spoofing is less secure and potentially non-compliant. The clarification is an invitation to upgrade from active to passive liveness - not to reduce rigour. 

6. The Compliance Cost of a Liveness Failure 

Direct Fraud Loss 

A fraudster who bypasses liveness detection gains an account opened under a false identity. For NBFCs and digital lenders, a synthetic identity account may not surface as fraud until the first credit event. The gap between onboarding and detection is the window during which fraud is executed. 

Regulatory Exposure: Forged Identity as a Cybersecurity Event 

Per the RBI V-CIP guidelines, any detected case of forged identity through V-CIP must be reported as a cybersecurity event under the applicable RBI cybersecurity guidelines. For NBFCs, the relevant framework is the RBI’s Information Technology Framework for NBFCs. For commercial banks, it is the RBI Master Direction on IT Governance, Risk, Controls and Assurance Practices. A liveness failure is not just a fraud event to reverse. It is a cybersecurity incident with a regulatory disclosure obligation. 

VAPT Non-Compliance 

The RBI KYC Master Directions require V-CIP technology to undergo VAPT and Security Audit periodically by CERT-In empaneled auditors. A Fintech that cannot produce current VAPT documentation for its V-CIP application is non-compliant with this requirement independently of whether a fraud event has occurred. During an RBI IT examination, this surfaces as a standalone compliance finding. 

The VAPT Requirement Is Not Optional 

V-CIP applications must undergo Vulnerability Assessment, Penetration Testing, and Security Audit periodically by CERT-In empaneled auditors as required by the RBI KYC Master Directions. An institution that cannot produce current VAPT documentation is non-compliant, regardless of its fraud record. 

7. The Sectors Most Exposed to Inadequate Liveness Detection 

Digital Lenders and NBFCs 

Synthetic identity fraud targeting digital lenders is the highest-volume liveness bypass use case in India’s Fintech sector. CKYCRR 2.0 biometric de-duplication provides a national-level second control after onboarding, but the liveness check at onboarding is the first and most critical fraud gate. Explore AIFISE’s KYC solutions for Fintech and digital lending. 

Neobanks and Payment Aggregators 

Neobanks with fully app-based V-CIP run the highest exposure to injection attacks because the onboarding flow is executed through a mobile application, where virtual camera tools are most easily deployed. A liveness system designed for laptop webcam environments may have different detection characteristics in a mobile context. Explore AIFISE’s Video KYC solution for mobile-first V-CIP flows. 

Securities Brokerages and Wealth Platforms 

SEBI-regulated entities using V-CIP for demat account opening face a multi-regulator compliance surface. A V-CIP failure reportable to RBI as a cybersecurity event may separately trigger SEBI reporting obligations. See AIFISE’s solutions for securities brokerages. 

Crypto and VDA Platforms 

VDA service providers classified as Reporting Entities under PMLA since March 2023 face the highest concentration of deepfake and synthetic identity attacks. The iProov 2024 Report documents crypto platforms as a primary target for face swap injection attacks given the high value of assets accessible post-onboarding. 

Insurance and Insurtech Platforms 

Insurance fraudsters using synthetic identities to obtain policies represent long-tail risk that may not surface for months or years post-onboarding. A liveness failure at policy issuance is significantly harder to detect and remediate than at a lending step where first payment default surfaces within weeks. 

8. Evaluating Your Current Liveness Implementation: A Diagnostic Framework 

Apply these seven diagnostic questions before concluding your current implementation is adequate: 

9. What Upgrading Liveness Detection Looks Like in Practice 

Step 1: Audit Against the RBI V-CIP Checklist 

Document your current system’s performance against each RBI V-CIP requirement: spoof detection accuracy, IP blocking capability, VAPT status, incident response procedure for forged identity, and technology update cadence. This establishes your compliance baseline. 

Step 2: Specifically Test Injection Attack and Deepfake Resilience 

Request that your CERT-In empaneled auditor include virtual camera injection tests and deepfake stream injection tests in the V-CIP VAPT scope. If your current liveness provider cannot provide test results against these vectors, that is itself a diagnostic finding. 

Step 3: Migrate to Passive Liveness 

The RBI FAQ (June 2025) provides clear regulatory basis to migrate from gesture prompts to passive liveness that meets the accuracy and spoof detection standard. This migration does not require a full V-CIP rebuild - it replaces the gesture prompt module with a passive liveness analysis module. AIFISE’s Face Match and Video KYC platform are built around this passive-first architecture. 

Step 4: Implement the Forged Identity Incident Response Workflow 

Build the operational workflow before you need it: classify detected forged identity as a cybersecurity incident, escalate internally per your cybersecurity policy, notify CERT-In if the event meets RBI thresholds, and log the event against the V-CIP session record for audit trail. This workflow is a regulatory requirement, not an optional response procedure. 

Frequently Asked Questions 

Q: Does the RBI clarification that gestures are not mandatory mean we no longer need active liveness? 

No. Per the RBI FAQ on KYC (June 2025), gestures are not mandatory but spoof detection with a high degree of accuracy still is. Removing gesture prompts without deploying equivalent passive liveness and anti-spoofing makes your system weaker, not compliant. 

Q: What is an injection attack and why doesn’t standard liveness detect it? 

An injection attack feeds a synthetic video stream directly into the authentication pipeline, bypassing the physical camera. Standard liveness analyzes frame content and assumes it is processing a genuine camera capture. Detection requires analysis at the camera input layer itself. Per the iProov 2025 Report, native virtual camera attacks - the dominant injection vector - surged 2,665% in 2024. 

Q: What is iBeta Level 2 PAD certification and is it required by RBI? 

iBeta Level 2 PAD is an independent test under ISO 30107-3 that evaluates liveness resilience against both presentation and injection attacks. The RBI does not mandate it by name, but it is a credible independent benchmark that aligns with the RBI’s high accuracy and spoof detection standard. 

Q: If our V-CIP detects a forged identity, what are we required to do? 

Per the RBI V-CIP guidelines, it must be reported as a cybersecurity event under the applicable RBI cybersecurity framework. You must also maintain an auditable log linked to the specific V-CIP session. Consult your compliance team for the reporting threshold and timeline applicable to your entity type. 

Q: Our liveness provider has ISO 27001 certification. Does that cover the RBI VAPT requirement? 

No. ISO 27001 covers information security management governance. It does not evaluate the technical performance of a liveness system against injection attacks or deepfakes. VAPT by a CERT-In empaneled auditor is a separate, mandatory requirement for the V-CIP application itself. 

Q: At what point is a liveness system ‘regularly upgraded’ per RBI requirements? 

There is no defined interval. The practical standard is: update when a new forged identity pattern is detected, when your provider releases updates addressing new attack vectors, or when VAPT identifies vulnerabilities. Given the 2,665% surge in native virtual camera attacks in 2024, a system with no updates in 12 to 18 months is likely non-current. 

Is your liveness detection architecture ready for the current threat environment? 

AIFISE’s Face Match solution and Video KYC and CKYC 2.0 platform are built with passive liveness detection, injection attack defense, and face match for V-CIP flows. Explore the full AIFISE KYC and CKYC 2.0 platform, or book a demo for a walkthrough of your specific V-CIP architecture and compliance gaps.