Face Verification
Address Verification
Document Verification
Age Verification
VideoIdent
Fast ID
eIDV
NFC Verification
Consent Verification
Business Verification
Due Diligence
Investor Verification
E-Signature
Behavioural Biometrics
Device Fingerprinting
MFA
AML Screening
Business AML Screening
User Risk Assessment
Transaction Screening
Adverse Media Screening
Identity Verification
KYC
KYB
KYI
Fraud Prevention
Bonus Abuse
Deepfakes
Multi-Accounting
Banking
Crypto
Fintech
Forex
Gaming
Gig Economy
Marketplace
Social Networks
Product Managers
Compliance Officers
Fraud Analyst
Global Trust Platform
Journey Builder
Vendor Comparison
Content library
Blogs
News
Reports
Insights
Knowledgebase
ROI calculator
Blind Spot Audit
Deepfake Detector
Liveness Detection
Document Originality
Document Deepfake
Events & Webinar
Podcast Studio
Spotlight Studio
API Documentation
Mobile SDKs
Service Status
Help Center
Contact Us
Technical Support
Compliance
Supported Documents
About
Career
Press Release
Certifications
Partnership
Awards
Active vs Passive Liveness: Why the Old Trade-Off No Longer Holds
Most identity verification systems include a step where the user has to prove they are a real person, not a photo, a video, or a mask. This step is called liveness detection.
There are two main ways to do it. One asks the user to do something: blink, smile, turn the head, follow a moving dot. The other asks for nothing. The user takes a normal selfie and the system decides on its own whether the person is real.
For years, the industry quietly assumed the first method (active liveness) was safer than the second (passive liveness). The thinking was simple. A still photo cannot blink. A video replay cannot follow a random instruction. So if you make the user move, you make life harder for the attacker.
That assumption no longer holds. Here is what changed, and why it matters for any team building an onboarding flow.
What Each Method Looks Like to a User
Active liveness is the version most people have run into. Sign up for a banking app or a crypto exchange and the screen asks you to look at the camera, follow prompts, sometimes read a number out loud. Move the head left. Turn slowly in a circle. Open the mouth.
Passive liveness is invisible. The user takes one selfie. The system makes its decision in the background. The verification either passes or fails. From the user’s side, it feels like an ordinary photo.
Same outcome but with very different user experience.
Why the Industry Defaulted to Active
Three reasons.
The first was simple logic. Make the user move, and attacks that cannot move (photos, screen replays) get caught. So active became the safe default.
The second was lab testing. The hardest independent tests for liveness systems were assumed to need user interaction to pass cleanly. Vendors who cleared the top tiers usually did so with active flows.
The third was perception. Regulators, auditors, even buyers looked for visible signs that the system was checking something. An active flow looks like it’s doing more, even when the underlying detection is no stronger.
The combined effect was that most vendors built around active. Buyers, looking for the most secure option, asked for active. The whole market settled there.
|
Suggested Read: Liveness Detection | An Extra Layer of Protection Against Spoofing and Fraud |
The Cost That Active Carries
Every prompt in an onboarding flow is a moment where some users drop off. They get confused. They do not follow the instructions correctly. They get rejected by the system and do not try again. Drop-off rises with every additional step.
For a fintech, a crypto exchange, or a gaming platform onboarding thousands of users a day, even small drop-off increases turn into real customers lost. The active flow has a price, and that price is paid in lost conversions.
The trade-off the industry made was clear. We accept the drop-off, because security requires it.
What Changed in the Lab
The international standard for liveness testing is ISO/IEC 30107-3. It has three difficulty tiers.
Level 1 covers paper photos and basic masks. Level 2 introduces 3D-printed resin and latex artefacts. Level 3 sits at the top: testers with at least ten previous PAD evaluations build professional silicone, urethane, and resin masks over up to seven days each. The standard allows up to 5% of these attacks to slip through. Most vendors have not reached Level 3 at all.
When passive liveness systems started clearing Level 3 with zero attacks getting through, the older assumption fell apart. The idea that active was needed for top-tier security turned out to be an industry assumption, not a fact.
If a passive system can hold the same line as an active one in the hardest test the industry has, the cost-benefit picture flips. Onboarding teams no longer have to choose between security and conversion. They can have both.
What Buyers Should Ask Now
The right question for a liveness vendor is no longer “active or passive?” It’s two more useful questions:
What level of independent lab testing has your system passed?
What hardware was the test conducted on?
If a vendor has Level 3 conformance with a 0% attack acceptance rate and a 0% rejection rate for genuine users, the active vs passive question becomes a user-experience choice. Not a security one.
How Shufti Busted That Myth With iBeta Level 3 Testing
Shufti’s face verification runs on passive liveness. The user presents a single selfie, the liveness check runs in the background, and the result either passes or fails. No prompts.
In April 2026, Shufti became the first European company to clear iBeta PAD Level 3 with this passive approach. Across 900 attacks tested on Android and iOS, the system did not let a single one through and did not wrongly reject a single genuine user.
For onboarding teams who have been forced to trade conversion against security, the result is a real shift. Book a demo to see Shufti’s passive liveness in action.
