EN ID TH
Other Compliance → Biometrics

Biometrics Security

Security testing for biometric authentication systems, fingerprint, face, and behavioural, including liveness detection evaluation.

Biometric authentication is increasingly a primary control for financial, government, and identity workflows. Its security depends on three things being right at once: the sensor, the matching engine, and, most often the weak point, the liveness or presentation-attack detection layer. We test all three.

Engagements cover passive and active liveness detection, presentation attack detection (PAD) including 2D, video, mask, and morph attacks, the surrounding application flows (enrolment, recovery, step-up), and the fallback paths that frequently revert to weaker authentication when biometrics fail.

Why it matters

What's at stake.

Liveness is where most attacks succeed

Modern face-matching is strong. Liveness detection, the layer that decides whether a real human is present, is where presentation attacks frequently succeed in real testing.

Fallback flows undermine the strong path

When biometrics fail, applications typically revert to weaker authentication. Attackers target the fallback rather than the strong path.

Engagement Model

A structured, intelligence-led path through every engagement.

Every engagement follows the same disciplined path through the Velocity platform, so quality, traceability, and reporting are consistent across teams.

Scoping

Define assets, environments, Rules of Engagement, and acceptance criteria with the technical and security stakeholders.

Execution

Manual and tool-assisted testing by CREST-accredited consultants, with evidence captured at each step.

Validation

Every finding is reproduced, risk-rated under CVSS, and confirmed by a second consultant before reporting.

Reporting

Cryptographically signed reports with test-case traceability, severity ratings, reproduction steps, and remediation guidance.

Debrief & Retest

Stakeholder walk-through of findings, prioritisation support, and a retest cycle on remediated issues.

Standards & Frameworks

Mapped to recognised baselines.

ISO/IEC 30107 Presentation Attack Detection
NIST FRVT
FIDO Biometric Component Certification
Sector regulator guidance

Test Your Defences Against Adversarial Expertise

Talk to a CREST-accredited consultant about your next penetration testing engagement.

Speak to an Expert