Shufti wins iBeta Level 3 for face liveness on mobiles

SOFIAH NICHOLE SALIVIO

News Editor

Shufti has achieved iBeta Level 3 conformance for passive face liveness detection on iOS and Android, becoming the first European group to reach that level on both mobile platforms with a single-selfie approach.

The London-based identity verification provider was assessed by iBeta Quality Assurance under the ISO/IEC 30107-3 Presentation Attack Detection standard. Testing of its Android SDK v1.9.8 and iOS SDK v1.3.42 found a 0% Attack Presentation Classification Error Rate and a 0% Bona Fide Presentation Classification Error Rate across all tested scenarios.

The result puts Shufti in a competitive part of the biometric security market, where vendors are under pressure to show that facial verification systems can reject spoofing attempts without adding friction for users. Banks, fintech groups, payment firms and public sector services increasingly rely on such checks during digital onboarding and authentication.

Test results

According to Shufti, iBeta used a Google Pixel 4 running Android 12 and an iPhone 12 Pro running iOS 16.6.1, with both devices connected to the same cloud backend. The backend was checksum-verified before and after the assessment to confirm that no changes were made during testing.

Under the Level 3 protocol, one bona fide presentation was alternated with three artefact presentations using silicone, urethane and resin masks until 150 attacks and 50 genuine presentations per species had been completed on each device. In total, the evaluation included 900 presentation attacks and 100 bona fide presentations. The final report recorded no successful spoofing attempts and no false rejections of genuine users, the company said.

Shufti also said it was the only vendor with iBeta Level 3 certification to test on both older and newer iOS and Android device versions, while other vendors had limited testing to newer hardware. That distinction matters because identity checks in commercial use often take place on mainstream consumer handsets rather than the latest flagship models.

Shufti’s liveness system uses a passive, single-selfie method rather than asking users to blink, smile or turn their head. The software is designed to distinguish a real person from attempted impersonation using printed images, replayed video or 3D masks.

Step-by-step progress

Over the past three years, Shufti said it has progressed through iBeta’s presentation attack detection tiers. It first achieved Level 1 conformance against 2D attacks such as printed photographs and replayed images, then moved to Level 2 with broader testing against more advanced 3D mask attacks, before reaching Level 3 across both iOS and Android.

That progression reflects how suppliers in the sector are expected to show repeatable improvements as attack methods evolve. Independent testing has become an important benchmark for clients in regulated industries that need to compare biometric systems against a common standard.

Shufti says it operates in more than 240 countries and supports more than 10,000 document types in over 150 languages. Its wider product line includes face verification, document checks, know-your-customer and anti-money laundering screening, electronic identity verification, video KYC and address verification.

The business is headquartered in London and has offices in the UAE, Singapore, Hong Kong, Cyprus, the United States and the United Kingdom. Its customer base spans sectors where identity checks are closely tied to fraud control, regulatory compliance and customer conversion.

Commenting on the result, Shufti highlighted the use of commonly available handsets during the evaluation.

“We are the first European company to independently achieve iBeta Level 3 conformance on both iOS and Android, with zero errors and no extra steps for the user,” said Shahid Hanif, CEO of Shufti. “What matters beyond the headline is what these results say about how we build. We achieved this on mainstream consumer phones, the same devices people actually use to sign up, not custom hardware engineered for the test. That is the point. And reaching this level so quickly, without bespoke tuning, reflects the quality of our underlying platform.”