BiometricsMar 28, 2026

Liveness Detection and Digital Identity in Indonesia: Technical Approaches for Fraud Prevention

Engineering Team

What Is Liveness Detection and Why Does Indonesia Need It?

Liveness detection is a technology that determines whether a biometric sample (such as a facial image) comes from a live, physically present person rather than a spoofing artifact like a printed photograph, a screen replay, a silicone mask, or a deepfake video. In the context of Indonesia’s KOMDIGI Regulation No. 7 of 2026, liveness detection is a mandatory component of all biometric SIM card verification systems.

The stakes are enormous. Indonesia lost an estimated Rp 7 trillion ( $407 million)** to cybercrime in 2025, according to data from the **National Cyber and Crypto Agency (BSSN)**. SIM-swap fraud alone accounted for **Rp 1.2 trillion ($ 70 million) of those losses. Without robust liveness detection, a biometric verification system is merely security theater — an attacker can present a high-resolution photo or video of the victim and pass facial recognition checks.

The Threat Landscape: Presentation Attacks

Presentation attacks (also called spoofing attacks) against facial recognition systems fall into several categories, each requiring different detection strategies:

Level 1: Print Attacks

The simplest attack uses a printed photograph of the target person. This is surprisingly effective against basic facial recognition systems that lack liveness detection. The attacker prints a high-resolution photo on glossy paper and holds it in front of the camera.

Success rate against unprotected systems: 70-85%
Cost to execute: Under $1 (one printed photo)
Detection difficulty: Low — texture analysis and reflection detection are effective

Level 2: Screen Replay Attacks

The attacker displays a video or photo of the target on a screen (phone, tablet, or laptop). This is more sophisticated than print attacks because the displayed face has natural color gradation and can show movement if using video.

Success rate against basic systems: 50-65%
Cost to execute: Under $50 (any screen device)
Detection difficulty: Medium — moiré pattern detection and light reflection analysis help

Level 3: 3D Mask Attacks

Custom-made 3D masks (silicone, resin, or 3D-printed) replicate the target’s facial geometry. These are rare due to cost and effort but represent a serious threat for high-value targets.

Success rate against intermediate systems: 30-45%
Cost to execute: $200-$ 2,000 depending on quality
Detection difficulty: High — requires depth sensing or infrared analysis

Level 4: Deepfake Injection Attacks

The most sophisticated attack involves injecting a deepfake video stream directly into the camera feed, bypassing the physical camera entirely. The attacker uses virtual camera software to substitute the real camera input with a real-time deepfake.

Success rate against advanced systems: 10-25%
Cost to execute: $50-$ 500 (GPU + open-source deepfake tools)
Detection difficulty: Very high — requires camera attestation and injection detection

Technical Approaches to Liveness Detection

1. Passive Liveness Detection

Passive liveness analyzes a single captured image or short video without requiring the user to perform any specific action. This approach relies on subtle visual cues that distinguish live faces from spoofing artifacts:

Texture analysis: Live skin has microstructures (pores, fine wrinkles) absent from printed photos or screens
Color distribution: Skin reflectance differs from paper or screen surfaces in specific spectral bands
Moiré pattern detection: Screen replay attacks produce characteristic interference patterns
Edge sharpness: Printed photos have different edge characteristics than live faces
Depth estimation: Single-image depth estimation using CNNs can distinguish flat presentations from 3D faces

Advantages: Zero friction for users, fast processing (under 500ms), works with any standard camera

Disadvantages: Lower accuracy on high-quality attacks, requires large training datasets for each attack type

2. Active Liveness Detection (Challenge-Response)

Active liveness requires the user to perform specific actions in response to randomly generated challenges:

Head movement: Turn left, right, up, or down
Facial expressions: Smile, blink, open mouth
Gaze tracking: Follow a moving dot on the screen
Light challenge: The screen flashes specific colors; the system analyzes how light reflects off the face

Advantages: High accuracy (98%+), effective against print and screen attacks

Disadvantages: Higher user friction, slower (3-10 seconds), accessibility concerns for users with motor disabilities

3. Depth-Based Liveness Detection

Hardware-assisted approaches use specialized sensors to capture 3D geometry:

Structured light (e.g., Apple Face ID): Projects a pattern of infrared dots and measures distortion to create a 3D depth map
Time-of-flight (ToF) sensors: Measures the time light takes to bounce off the face, creating a depth image
Stereo cameras: Two cameras at known separation estimate depth through parallax

Advantages: Extremely high accuracy (99.5%+), effective against 3D masks

Disadvantages: Requires specialized hardware, not available on most budget Android devices common in Indonesia

4. AI-Based Multi-Modal Detection

Modern systems combine multiple detection methods using deep learning ensemble models:

Input Image/Video
       |
       +---> [Texture Analysis CNN]
       |           |
       +---> [Depth Estimation Network]
       |           |
       +---> [Temporal Analysis LSTM]   (for video)
       |           |
       +---> [Frequency Domain Analysis]
       |           |
       v           v
   [Fusion Layer / Ensemble]
       |
       v
   Live / Spoof Decision
   (with confidence score)

This approach achieves the best results because different attack types leave different artifacts. A print attack is easily caught by texture analysis but might fool depth estimation, while a 3D mask fools texture analysis but fails depth verification with ToF sensors.

ISO Standards for Liveness Detection

Indonesia’s KOMDIGI regulation references two critical international standards:

ISO/IEC 30107: Biometric Presentation Attack Detection (PAD)

This three-part standard defines the framework for evaluating liveness detection systems:

Part 1 (Framework): Defines terminology, attack categories, and the PAD subsystem concept
Part 2 (Data formats): Specifies how PAD data should be recorded and exchanged
Part 3 (Testing and reporting): Defines evaluation methodology and metrics

Key metrics from ISO/IEC 30107-3:

Metric	Definition	KOMDIGI Requirement
APCER (Attack Presentation Classification Error Rate)	Rate at which attack presentations are incorrectly classified as bona fide	< 5%
BPCER (Bona Fide Presentation Classification Error Rate)	Rate at which genuine presentations are incorrectly classified as attacks	< 10%
ACER (Average Classification Error Rate)	Average of APCER and BPCER	< 7.5%

For KOMDIGI certification, vendors must achieve ISO/IEC 30107-3 Level 2 or higher, meaning testing must include at least print attacks, screen replay attacks, and 3D mask attacks using a standardized test protocol.

ISO/IEC 24745: Biometric Template Protection

This standard specifies requirements for protecting biometric templates during storage and transmission:

Irreversibility: It must be computationally infeasible to reconstruct the original biometric sample from the stored template
Unlinkability: Templates from the same biometric source stored in different systems must not be linkable
Renewability: Compromised templates can be revoked and replaced without re-enrollment

Techniques specified include:

Cancelable biometrics: Apply a non-invertible transformation to the template before storage
Biometric cryptosystems: Use fuzzy commitment or fuzzy vault schemes to bind templates to cryptographic keys
Homomorphic encryption: Perform matching operations on encrypted templates without decryption

Architecture Patterns for Liveness Detection Systems

Pattern 1: Edge-First Architecture

Liveness detection runs entirely on the user’s device, with only the verification result and encrypted template sent to the server:

[Mobile Device]
  Camera -> Liveness SDK -> Template Extraction
       |                          |
       v                          v
  Pass/Fail              Encrypted Template
       |                          |
       +----------+---------------+
                  |
                  v
         [Operator Server]
                  |
                  v
          [IKD Verification]

Best for: High-volume consumer applications, low-bandwidth environments

Trade-offs: Device integrity must be verified; SDK can be tampered with on rooted devices

Pattern 2: Server-Side Architecture

All biometric processing occurs on the server. The device only captures and transmits the raw image:

[Mobile Device]
  Camera -> Encrypted Image Upload
                  |
                  v
         [Operator Server]
  Liveness Detection -> Template Extraction
                  |
                  v
          [IKD Verification]

Best for: Highest security requirements, controlled environments (kiosks)

Trade-offs: Higher bandwidth usage, latency-sensitive, requires strong encryption in transit

Pattern 3: Hybrid Architecture (Recommended)

Liveness detection runs on-device for immediate feedback, while server-side validation provides a second layer of assurance:

[Mobile Device]
  Camera -> On-Device Liveness (fast feedback)
       |          |
       v          v
  Encrypted Image + Liveness Score
                  |
                  v
         [Operator Server]
  Server Liveness Validation -> Template Extraction
                  |
                  v
          [IKD Verification]

Best for: KOMDIGI compliance — meets both user experience and security requirements

Trade-offs: More complex to implement, requires SDK on device plus server infrastructure

Open-Source vs Commercial Solutions

Feature	Open-Source (e.g., Silent Liveness, MiniFASNet)	Commercial (e.g., FaceTec, iProov, Jumio)
Cost	Free (MIT/Apache license)	$0.05-$ 0.50 per verification
Accuracy (APCER)	5-15% (varies by implementation)	0.5-3% (NIST FRVT tested)
ISO 30107-3 Certified	No (must self-certify)	Yes (most major vendors)
KOMDIGI Pre-Certified	No	Select vendors (pending final list)
Deepfake Detection	Limited	Advanced (injection attack detection)
On-Device SDK	Android only (most)	iOS + Android + Web
Support & SLA	Community only	24/7 enterprise support
Customization	Full source access	Limited API configuration
Deployment	Self-hosted	Cloud or on-premise options
Time to Integrate	2-4 weeks	1-2 weeks (with SDK)

For KOMDIGI compliance, most operators will choose commercial solutions due to the certification requirement. However, open-source components can be valuable for:

Building internal testing and validation tools
Pre-screening before server-side commercial verification
Research and development of custom detection algorithms

Implementation Considerations for Indonesia

Device Ecosystem

Indonesia’s mobile market is dominated by budget Android devices (Xiaomi, Oppo, Samsung A-series). Key constraints:

Camera quality: Many devices have 8-13 MP front cameras with limited dynamic range
Processing power: Snapdragon 600-series or MediaTek Helio processors with limited NPU capabilities
Storage: 32-64 GB internal storage limits on-device model sizes
Network: 4G coverage is strong in Java and Sumatra but spotty in eastern Indonesia

Liveness detection models must be optimized for these constraints — targeting under 50 MB model size and under 500ms inference time on mid-range devices.

Environmental Factors

Indonesia’s tropical climate and diverse population create unique challenges:

Lighting: Outdoor registration points face harsh tropical sunlight with strong shadows
Skin tone diversity: Training data must represent Indonesia’s diverse skin tones (Fitzpatrick types III-VI)
Head coverings: Models must accommodate hijab, kopiah, and other religious/cultural head coverings without bias
Age range: Indonesia’s population skews young (median age 30.2) but verification must work for all ages

Frequently Asked Questions

What is the difference between liveness detection and facial recognition?

Facial recognition determines who a person is by comparing their facial features against a database. Liveness detection determines whether the biometric sample comes from a real, physically present person. They are complementary technologies — facial recognition without liveness detection is vulnerable to spoofing attacks using photos or videos of the target person.

How accurate does liveness detection need to be for KOMDIGI compliance?

Systems must achieve an Attack Presentation Classification Error Rate (APCER) below 5% and a Bona Fide Presentation Classification Error Rate (BPCER) below 10% across at least three attack types (print, screen replay, 3D mask). This must be validated through testing conformant to ISO/IEC 30107-3 Level 2.

Can liveness detection work offline?

The liveness detection component itself can work offline on-device. However, the identity verification step (matching against the IKD database) always requires a network connection. For areas with poor connectivity, the regulation allows a store-and-forward model where the capture and liveness check happen offline, and the IKD verification is queued for when connectivity is restored (within a 24-hour window).

How does liveness detection handle identical twins?

Liveness detection does not address the identical twin problem — that is the domain of facial recognition accuracy. However, the 1:1 verification model (comparing the captured face against a specific NIK record) means the system only needs to confirm whether the person matches their own registered identity, not distinguish between arbitrary pairs. Identical twins would have different NIK numbers and thus be verified separately.

What happens if liveness detection fails for a legitimate user?

If a legitimate user fails liveness detection, operators must provide up to 3 retry attempts with guidance (adjust lighting, remove sunglasses, face the camera directly). If all retries fail, the user is directed to a physical service center for assisted verification. The regulation requires operators to maintain sufficient service centers to handle an estimated 2-3% fallback rate.

Are deepfake attacks a realistic threat in Indonesia?

Yes, and increasingly so. The cost of generating convincing deepfakes has dropped dramatically — open-source tools like DeepFaceLab and FaceSwap run on consumer GPUs costing under $500. Indonesia has seen a 340% increase in deepfake-related fraud attempts between 2024 and 2025 according to BSSN data. This is why KOMDIGI requires injection attack detection in addition to traditional presentation attack detection.

How much does implementing a compliant liveness detection system cost?

For a medium-sized MVNO (Mobile Virtual Network Operator), typical costs include: biometric SDK license ( $0.10-$ 0.30 per verification), IKD integration development ( $50,000-$ 100,000), infrastructure and hosting ( $5,000-$ 15,000/month), and KOMDIGI certification testing ( $20,000-$ 50,000). Total first-year cost ranges from $200,000 to $500,000 depending on verification volume and architecture choices.