Shufti becomes the first European company to achieve iBeta Level 3, compliant across iOS & Android for single-selfie passive liveness with 0% error rate

LONDON, UK — 7 May 2026 — Shufti, a global identity verification and fraud prevention company, today announced that its passive face liveness technology achieves Level 3 Presentation Attack Detection (PAD) conformance under ISO/IEC 30107-3, following independent evaluation by iBeta Quality Assurance, a NIST/NVLAP-accredited biometric testing laboratory.

This milestone makes Shufti the first European company to achieve iBeta Level 3 conformance on both iOS and Android platforms using a fully passive, single-selfie biometric verification approach.

The evaluation confirms that Shufti’s facial liveness detection technology implemented via SDK v1.9.8 (Android) and SDK v1.3.42 (iOS) meets 0% APCER and 0% BPCER across all tested scenarios, with no successful spoofing attempts recorded during the assessment.

Shufti achieved a key distinction as the only vendor holding iBeta Level 3 certification to conduct testing across both older and newer iOS and Android device versions, including a Google Pixel 4 (Android 12) and an iPhone 12 Pro (iOS 16.6.1), while other vendors limited testing to newer device versions only.

Shufti develops identity verification technologies used globally to support secure digital onboarding and authentication across regulated industries. Shufti’s passive face liveness technology is designed to verify real human presence during biometric capture using a single selfie frame, with no prompts to blink, smile, turn the head, or guided interaction.

The system evaluates facial authenticity in real time and is engineered to detect a range of spoofing attempts, including printed imagery, video replay, and 3D mask-based impersonation. That keeps the experience fast for legitimate users while holding the line against advanced presentation attacks.

“We are the first European company to independently achieve iBeta Level 3 conformance on both iOS and Android, with zero errors and no extra steps for the user,” said Shahid Hanif, CEO of Shufti. “What matters beyond the headline is what these results say about how we build. We achieved this on mainstream consumer phones, the same devices people actually use to sign up, not custom hardware engineered for the test. That is the point. And reaching this level so quickly, without bespoke tuning, reflects the quality of our underlying platform.”

This kind of assurance matters most at scale, where identity decisions shape conversion rates, fraud losses, and customer trust.

Inside The iBeta’s Highest Pad Level Evaluation

Testing was conducted by iBeta QA (NIST/NVLAP accredited, Lab Code 200962) from 27 March to 24 April 2026 at its Aurora, Colorado, facility.

iBeta evaluated both the old and updated versions of the Shufti SDK during the assessment. Testing was conducted on Shufti SDK v1.9.8 using a Google Pixel 4 (Android 12) and v1.3.42 using an iPhone 12 Pro (iOS 16.6.1), with both devices connected to the same backend cloud component.

Using iBeta’s Level 3 protocol, the test alternated one bona fide presentation with three artefact presentations across silicone, urethane, and resin masks until 150 attacks and 50 genuine presentations per species were completed on each device.

The evaluation included a total of 900 presentation attacks (450 per device) and 100 bona fide presentations (50 per species). According to iBeta’s final report, no presentation attack achieved a successful liveness classification, and all genuine users were correctly verified.

From Level 1, Advancing Through Level 3

Shufti has demonstrated consistent advancement through successive iBeta PAD conformance levels:

• Level 1 (2024): Conformance achieved against 2D presentation attacks, including printed photographs and screen-based replay attacks
• Level 2 (2025): Extended evaluation coverage to more advanced 3D mask-based presentation attacks
• Level 3 (2026): Achieved the highest PAD conformance level with iBeta QA, validating passive liveness detection across both iOS and Android platforms

This progression reflects continuous enhancement of Shufti’s underlying biometric liveness framework, supporting consistent performance across evolving threat vectors and testing tiers.

iBeta Level 3 Results at a Glance

• Level 3 PAD conformance under ISO/IEC 30107-3, independently validated by iBeta Quality Assurance.
• 0% APCER and 0% BPCER on both Pixel 4 (Android 12) and iPhone 12 Pro (iOS 16.6.1); 0% APNRR and 0% BPNRR.
• 900 presentation attacks resisted in total, 450 per device, 150 per species, across three high-fidelity mask types: silicone, urethane, and resin.
• All 50 bona fide presentations per species were accepted on both devices.
• Fully passive capture: no head turns, no blink prompts, no smile gestures.
• 0% APNRR and 0% BPNRR across all test conditions
• Zero successful spoofing attempts recorded across 900 attacks
• Test crew composed in line with ISO/IEC 19795-5 diversity guidance: 40% female subjects and 30% non-Caucasian subjects, drawn from across age groups.
• Available across cloud, on-premises, and hybrid deployment options.

How This Key Development Is Significant Today?

Identity verification has become a regulated entry point across financial services, fintech, crypto, iGaming, and digital government infrastructure. Frameworks such as MiCA, eIDAS 2.0, FCA Consumer Duty, BaFin Circulars, MAS guidelines, and AUSTRAC Tranche 2 increasingly emphasise both fraud prevention and frictionless onboarding outcomes.

Within this environment, global regulated businesses are required to balance strict identity assurance with seamless user experience. Independent PAD validation at Level 3 provides a standardised benchmark for organizations assessing whether biometric systems meet both requirements under real-world conditions, across devices, lighting environments, and evolving spoofing methods.

This achievement underscores how Shufti’s passive liveness capability continues to strengthen against increasingly complex fraud attempts and across the full range of consumer devices.

It also further complements Shufti’s established compliance framework, which includes ISO 27001:2013, SOC 2 Type II, PCI DSS, GDPR, KJM Age Verification, CCPA, and Cyber Essentials Plus.

To request the full iBeta Level 3 conformance report or to learn more, visit Shufti.

About Shufti

Shufti is a global identity verification company operating under the tagline “Truth in identity.” Headquartered in London, the company has offices in the UAE, Singapore, Hong Kong, Cyprus, the United States, and the United Kingdom. Shufti delivers identity verification across 240+ countries, supporting more than 10,000 document types in 150+ languages. Its product suite includes Face Verification, Document Verification, KYC/AML, eIDV, Video KYC, Address Verification, and Fast ID solutions.

About iBeta Quality Assurance

iBeta Quality Assurance is a software testing laboratory based in Aurora, Colorado, accredited by the National Voluntary Laboratory Accreditation Program (NVLAP, Lab Code 200962) for biometric testing under NIST Handbook 150-25, including conformance testing to ISO/IEC 30107-3.

Media Contact

Aroosa Virk

Brand and Communications Manager

[email protected]