Facial liveness detection AI · Identity document scan verification AI · Age estimation and age-gate AI · Biometric KYC admission AI

Prompt injection in biometric identity verification AI

Biometric identity verification AI has become the operational backbone for onboarding fraud prevention at financial institutions, government benefits portals, gig-economy platforms, and age-restricted services — processing facial liveness detection image captures designed to distinguish live human faces from printed photos, digital displays, and three-dimensional masks, identity document scan images of passports, national identity cards, driver's licences, and residence permits through AI-assisted document authenticity classification and OCR-based field extraction, facial age-estimation image captures determining whether a user's physiological age meets the platform's age-gating threshold for age-restricted content or services, and biometric probe images submitted through identity verification APIs used to generate and compare facial embedding vectors against enrolled biometric template stores — concentrating Illinois Biometric Information Privacy Act (BIPA) 740 ILCS 14/ private-right-of-action liability which has produced class action settlements exceeding $650 million against Facebook (2021), $92 million against TikTok (2022), and $75 million against BNSF Railway (2022) for biometric data collection, retention, and disclosure without compliant written consent and retention schedules, and which provides statutory damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation with no cap on class damages — applicable to biometric identity verification AI systems processing facial images for Jumio AI serving 1,000 or more clients across banking (Deutsche Bank, HSBC, Capital One), cryptocurrency (Binance, Coinbase, Crypto.com), and telecommunications (T-Mobile, Vodafone) with reported processing of 150 million or more identity verifications per year; Onfido AI serving 1,000 or more clients including Revolut, Bitstamp, and Zipcar, acquired by Entrust in 2023 and processing over 1 billion identity verifications since founding; Socure AI serving 1,000 or more clients including JPMorgan Chase, U.S. Bank, Chime, and SoFi with reported identity decisioning accuracy exceeding 97%; IDme AI serving 100 million or more enrolled Americans across 20 or more federal agencies including the IRS, Veterans Administration, and Social Security Administration, and 30 or more state governments for unemployment benefits, professional licences, and tax authority access; and Veriff AI serving 10,000 or more clients across 200 or more countries for gig-economy worker identity verification (Bolt, Pipedrive, Wise, Paysend) — and EU AI Act Article 5 prohibited AI practice provisions establishing that AI systems deploying real-time remote biometric identification in publicly accessible spaces, biometric categorization systems inferring sensitive characteristics from biometric data, and AI systems creating or expanding biometric databases through untargeted scraping of facial images from the internet or closed-circuit television footage are prohibited, with fines up to €30 million or 6% of total worldwide annual turnover for violations; GDPR Article 9 special-category biometric data processing prohibition applicable to biometric identity verification AI processing EU persons' facial images for the purpose of uniquely identifying them as natural persons — requiring explicit consent under Article 9(2)(a), substantial public interest under Article 9(2)(g), or employment and social protection law basis under Article 9(2)(b) with penalties up to €20 million or 4% of worldwide annual turnover; California Consumer Privacy Act (CCPA) as amended by the CPRA designating biometric information as sensitive personal information under §1798.140(ae)(1)(H) subject to opt-out rights and requiring disclosure of biometric data collection in privacy notices; Children's Online Privacy Protection Act (COPPA) 16 CFR Part 312 prohibiting collection of personal information including biometric data from children under thirteen without verifiable parental consent; and Bank Secrecy Act §5318(l) customer identification programme (CIP) requirements applicable to covered financial institutions using AI identity verification to satisfy CIP customer identity obligations — in AI systems that process facial liveness detection captures, identity document scan images, age-estimation facial captures, and biometric probe images at identity verification platform volumes that make individual human reviewer re-examination of every AI-processed biometric decision before the AI classification governs onboarding admission, age-gate access, benefits eligibility, or KYC CIP compliance impracticable for large-scale biometric identity verification operations.

TL;DR

Biometric identity verification AI platforms — Jumio AI, Onfido AI, Socure AI, IDme AI, Veriff AI — process facial liveness detection captures, passport and driver's licence document scan images, age-estimation facial images, and biometric probe images through AI-assisted onboarding admission, document authenticity verification, age-gate determination, and KYC CIP compliance pipelines. Adversarially crafted images can cause liveness AI to classify a printed photo or deepfake mask as a live face under BIPA §15, suppress document security feature detection under BSA §5318 CIP requirements, misclassify underage facial age estimates as adult under COPPA §312.3, and corrupt biometric embedding vector comparisons under GDPR Article 9 — at thresholds of 60 for liveness detection, 65 for document scan verification, 55 for age-gate estimation, and 70 for biometric probe image injection. Free tier — 10 scans/day, no card required.

Four adversarial injection surfaces in biometric identity verification AI

1. Facial liveness detection bypass injection (BIPA 740 ILCS 14/15, EU AI Act Article 5, CCPA §1798.140)

Facial liveness detection AI processes high-resolution facial image captures from onboarding camera sessions displaying user facial geometry including skin texture, depth-of-field defocus blur consistent with a three-dimensional object at a plausible distance from the camera lens, natural facial movement micro-expression frames captured across a two-to-ten second session window, ambient specular reflection patterns on the facial skin surface consistent with natural lighting on a three-dimensional face rather than a flat photograph or digital display, and anti-spoofing challenge-response frames requesting specific facial actions including head turns, eye blinks, and smile gestures — from Jumio AI at 1,000 or more clients processing 150 million or more identity verifications per year through Jumio Go liveness detection and Jumio Biometric Face Match AI processing onboarding camera session images through AI-assisted liveness classification, spoofing detection, and biometric template enrollment tools for financial institution (Deutsche Bank, HSBC, Capital One), cryptocurrency exchange (Binance, Coinbase), and telecommunications carrier (T-Mobile, Vodafone) KYC and CIP compliance; Onfido AI at Entrust processing 1 billion or more identity verifications since founding through Onfido Motion liveness detection and Onfido Face Capture AI processing onboarding facial capture images through AI-assisted liveness classification and biometric enrollment for financial services (Revolut, Bitstamp), mobility (Zipcar), and regulated industry KYC compliance; and Veriff AI at 10,000 or more clients across 200 or more countries processing facial liveness capture images through Veriff Biometric Authentication and Veriff Liveness Detection AI for gig-economy worker identity verification (Bolt, Pipedrive, Wise) — extracting liveness confidence scores, spoofing attack type classifications, biometric template enrollment authorisations, and KYC CIP identity match determinations from facial liveness detection capture image inputs in AI-assisted onboarding pipelines.

The adversarial injection surface is the facial liveness detection capture image submission pathway: Jumio AI, Onfido AI, or Veriff AI onboarding session facial capture frames submitted through AI-assisted liveness detection and biometric enrollment tools for AI liveness classification record generation and KYC CIP compliance documentation filing. An adversarially crafted liveness detection capture image — in which pixel perturbations applied to the facial skin texture region, the periocular specular reflection pattern display, the depth-of-field defocus gradient display, or the challenge-response micro-expression frame sequence cause the AI to classify a high-quality printed photograph, a digital display showing a pre-recorded video of a different person's face, or a three-dimensional silicone mask as a live human face meeting the platform's liveness confidence threshold — can suppress a spoofing attempt indicator that would otherwise generate a liveness failure event, an onboarding rejection notification, a fraud alert escalation, or a BSA §5318 CIP identity verification failure record. In financial institution and cryptocurrency exchange onboarding platforms where Jumio AI or Onfido AI processes liveness detection captures through AI-assisted KYC and CIP compliance without individual human reviewer re-examination of every AI-processed liveness decision before the AI classification governs account opening admission and transaction limit assignment, adversarial bypass of liveness detection creates BIPA 740 ILCS 14/15(b) biometric data collection consent, EU AI Act Article 5 prohibited AI practice, CCPA §1798.140(ae)(1)(H) biometric sensitive personal information, and BSA §5318(l) CIP identity verification accuracy dimensions.

The BIPA 740 ILCS 14/15, EU AI Act Article 5, CCPA §1798.140, and BSA §5318 regulatory consequences of adversarially bypassed liveness detection classification span Illinois Biometric Information Privacy Act 740 ILCS 14/15(b) requirements establishing that private entities may not collect, capture, purchase, receive through trade, or otherwise obtain a person's biometric identifier or biometric information unless the entity first informs the subject in writing of the purpose and length of collection and obtains a written release from the subject — adversarial bypass of liveness detection enabling onboarding of a fraudulent identity using a stolen photograph or deepfake creates the biometric data of the legitimate identity holder having been used without their consent in the platform's BIPA-covered biometric verification process, generating BIPA §15(b) private right of action with statutory damages of $1,000 per negligent violation or $5,000 per intentional or reckless violation and class certification potential; EU AI Act Article 5(1)(a) prohibition on AI systems that deploy subliminal techniques beyond a person's consciousness that materially distort a person's behaviour in a manner that causes or is likely to cause that person or another person physical or psychological harm — liveness AI bypass enabling fraudulent onboarding impersonation creates Article 5 prohibited practice dimensions for EU-market biometric identity verification platforms; CCPA as amended by CPRA §1798.140(ae)(1)(H) designation of biometric information as sensitive personal information requiring business-purpose opt-out rights and privacy notice disclosure of biometric data collection practices — adversarially enabled fraudulent biometric enrollment creates CCPA sensitive personal information compliance dimensions for California-resident onboarding pipelines; and BSA §5318(l) customer identification programme requirements establishing that covered financial institutions must implement CIP procedures to verify the identity of each customer to the extent reasonable and practicable before opening an account — adversarially bypassed liveness detection enabling synthetic identity onboarding creates BSA CIP identity verification failure and OCC Model Risk Guidance SR 11-7 model accuracy dimensions. Threshold: 60 for facial liveness detection bypass injection — reflecting BIPA 740 ILCS 14/15(b) biometric collection consent, EU AI Act Article 5 prohibited practice, CCPA §1798.140 sensitive personal information, and BSA §5318(l) CIP identity verification accuracy dimensions.

2. Identity document scan injection (BSA §5318, FCRA §1681c, FATF Recommendation 10)

Identity document scan AI processes passport biographical data page scan images displaying machine-readable zone (MRZ) two-line or three-line printed character strings encoding document type, issuing country, document number, date of birth, date of expiry, and nationality in ICAO 9303 Part 4 standardised format with AI-readable check digit computation verification, driver's licence scan images displaying issuing authority name, licence number, date of birth, and expiration date in AAMVA DL/ID Card Design Standard barcode and visual inspection zone format, national identity card scan images displaying biographic data fields and AI-scannable security feature overlays including holographic laminate, UV-fluorescent ghost image, and laser-engraved personalisation, and residence permit and visa document scan images displaying biometric data page security features from Jumio AI processing 150 million or more identity document scans per year for banking, cryptocurrency, and telecommunications KYC through Jumio Document Verification AI and Jumio KYX Platform classification tools; Socure AI at 1,000 or more clients including JPMorgan Chase, U.S. Bank, Chime, and SoFi processing identity document scan images through Socure DocV (Document Verification) AI for government-issued ID authenticity classification, MRZ field extraction, and CIP identity match determination; and IDme AI at 100 million or more enrolled Americans across 20 or more federal agencies and 30 or more state governments processing driver's licence and passport scan images through IDme Identity Gateway document verification AI for IRS e-authentication (OMB Memo M-04-04 LOA2/LOA3 compliance), VA benefits access verification, and state unemployment insurance identity verification — extracting document authenticity determinations, biographic field OCR classifications, document security feature validation outcomes, and CIP identity match confirmations from identity document scan image inputs in AI-assisted KYC and CIP compliance pipelines.

The adversarial injection surface is the passport biographical data page scan image, driver's licence scan image, or national identity card scan image submission pathway: Jumio AI, Socure AI, or IDme AI identity document scan images submitted through AI-assisted document verification and KYC CIP compliance tools for AI authenticity determination record generation and identity verification compliance documentation filing. An adversarially crafted passport biographical data page scan image — in which pixel perturbations applied to the MRZ character string display region, the document number field rendering, the date of birth YYMMDD display, the check digit numeral display, or the ICAO 9303 biometric data page security feature overlay cause the AI to classify a fraudulently altered passport scan with a modified date of birth or document number as an authentic, unaltered ICAO 9303-compliant document passing AI document security verification — can suppress a document tampering indicator that would otherwise generate a KYC CIP identity verification failure event, an onboarding rejection notification, a suspicious activity report consideration, or a FinCEN currency transaction and identity reporting record. In financial institution and federal agency identity verification platforms where Socure AI or IDme AI processes identity document scan images without individual fraud investigator review of every AI-processed document before the AI determination governs CIP identity match and account opening, adversarial suppression of document tampering indicators creates BSA §5318 CIP identity verification, FCRA §1681c accuracy and completeness, FATF Recommendation 10 customer due diligence, and FinCEN 31 CFR §1020.220 CIP programme compliance dimensions.

The BSA §5318, FCRA §1681c, FATF Recommendation 10, and FinCEN CIP regulatory consequences of adversarially corrupted identity document scan classification span Bank Secrecy Act §5318(l) and implementing FinCEN 31 CFR §1020.220 CIP requirements establishing that covered financial institutions must implement written CIP procedures for identity verification including collection of identifying information (name, date of birth, address, identification number), verification procedures for individuals relying on documentary methods including review of unexpired government-issued identification evidencing nationality or residence and bearing a photograph or similar safeguard, and recordkeeping of identifying information for five years after account closure — adversarially corrupted AI identity document scan classification that misses altered dates of birth or fabricated document numbers enables fraudulent CIP identity verification failures that BSA and FinCEN CIP regulations are designed to prevent; Fair Credit Reporting Act §1681c accuracy and completeness requirements applicable to consumer reporting agencies and AI-assisted identity verification systems that generate consumer identity reports used in credit, employment, and government benefit eligibility decisions — adversarially corrupted AI document scan classification that generates inaccurate identity match determinations creates FCRA §1681c accuracy dimension violations; FATF Recommendation 10 customer due diligence requirements establishing that financial institutions should identify and verify the identity of customers on the basis of documents, data, or information obtained from a reliable and independent source — adversarially bypassed AI document verification that allows fraudulent identity documents to satisfy the FATF Recommendation 10 reliable and independent source standard creates financial crime compliance dimensions. Threshold: 65 for identity document scan injection — reflecting BSA §5318(l) CIP identity verification accuracy, FCRA §1681c consumer report accuracy, FATF Recommendation 10 customer due diligence, and FinCEN 31 CFR §1020.220 CIP programme dimensions.

3. Age verification bypass via facial age estimation injection (COPPA 16 CFR Part 312, UK Age Appropriate Design Code, KOSA)

Age verification and age-gate AI processes facial image captures from new-user onboarding and age-restricted content access sessions displaying user facial geometry including periocular region wrinkle pattern density, nasolabial fold depth and length, skin texture granularity, forehead and glabellar furrow display, and overall facial proportionality characteristics used by AI age-estimation classifiers to predict user chronological age within a confidence interval for comparison against platform-configured age-gate thresholds — from Yoti AI (used by the UK government DCMS for online age verification, 15 million or more age estimation processes per year), Veriff AI Age Estimation at 10,000 or more clients for age-restricted service platforms (alcohol delivery, online gaming, adult content, pharmaceutical services), and Onfido Age Estimation at financial services, gambling, and age-restricted retail platforms across the EU and UK; and from IDme AI processing age verification for federal agency benefits portals that restrict access to age-qualified beneficiaries including Social Security retirement benefit access verification and Medicare eligibility confirmation — extracting estimated age classification, age-gate pass or fail determination, and regulatory age verification compliance record from facial age-estimation image inputs in AI-assisted age-restricted service access control pipelines at platform volumes that make individual human reviewer re-examination of every AI age-estimation decision impracticable before the AI classification governs access to age-restricted content or services.

The adversarial injection surface is the facial age-estimation image capture submission pathway: Yoti AI, Veriff AI, or Onfido AI age-estimation facial image captures submitted through AI-assisted age-gate determination and age-restricted service access control tools for AI age classification record generation and age verification compliance documentation filing. An adversarially crafted facial age-estimation image — in which pixel perturbations applied to the periocular wrinkle display region, the nasolabial fold depth indicator features, the skin texture granularity display, or the forehead furrow pattern cause the AI to classify a user whose facial physiological characteristics indicate an age below the platform's age-gate threshold — who would otherwise be denied access to age-restricted alcohol delivery, online gambling, adult content, or age-gated pharmaceutical services — as meeting the platform's age-gate classification threshold, producing a pass determination for a user who may be a minor — can suppress an underage user indicator that would otherwise generate an age-gate failure event, an access denial notification, a parental consent requirement trigger, or a COPPA-compliant data processing hold. In online platforms where Veriff AI Age Estimation or Yoti AI processes age-estimation facial captures without individual reviewer re-examination of every age-gate determination before the AI classification governs access to age-restricted content and data collection, adversarial bypass of age-gate classification creates COPPA 16 CFR §312.3 collection without verifiable parental consent, UK Age Appropriate Design Code (Children's Code) Ofcom standard 7 (age assurance), UK Online Safety Act §11 (child user protection obligations), and Kids Online Safety Act (KOSA) proposed content restriction compliance dimensions.

The COPPA 16 CFR Part 312, UK Age Appropriate Design Code, UK Online Safety Act, and KOSA regulatory consequences of adversarially bypassed age-gate classification span Children's Online Privacy Protection Act Rule 16 CFR §312.3 requirements establishing that operators of websites or online services directed to children under thirteen, or operators with actual knowledge that they are collecting personal information from children under thirteen, must obtain verifiable parental consent before collecting, using, or disclosing personal information from children — adversarially bypassed AI age-gate classification that allows a minor to obtain an age-pass determination enables collection and processing of the minor's personal information without verifiable parental consent in violation of COPPA §312.3, creating FTC Act §5 enforcement exposure with civil penalties up to $51,744 per violation; UK Age Appropriate Design Code (Information Commissioner's Office Children's Code) Standard 7 (age assurance) requirement establishing that online services should apply the code's protections to all users who are likely to be children, with age assurance mechanisms proportionate to the data processing risk, and should not use age assurance methods that are likely to be bypassed by children — adversarial bypass of AI age-estimation mechanisms creates Children's Code Standard 7 compliance failure with ICO enforcement authority; UK Online Safety Act §11 obligations for Category 1 services to implement user empowerment tools to protect children from harmful content — adversarially bypassed age verification enabling child access to regulated content creates Ofcom enforcement dimensions with potential service access restriction powers. Threshold: 55 for age verification bypass via facial age estimation injection — reflecting COPPA 16 CFR §312.3 parental consent, UK Age Appropriate Design Code Standard 7 age assurance, UK Online Safety Act §11 child protection obligation, and KOSA content restriction compliance dimensions.

4. Biometric re-identification probe injection (EU GDPR Article 9, EU AI Act Article 5(b), BIPA §15(c))

Biometric probe image AI processes facial image submissions through identity verification API endpoints used by enterprise identity verification platform clients to generate facial embedding vectors for comparison against enrolled biometric template stores maintained in platform-side or client-side biometric database systems — from Socure AI DocV and Socure Sigma Identity Plus at JPMorgan Chase, U.S. Bank, Chime, and SoFi processing biometric probe images through AI-generated facial embedding vector comparison tools for returning-customer identity match, high-value transaction re-authentication, and account takeover fraud prevention; IDme AI processing biometric probe images through IDme Wallet biometric re-authentication tools for returning federal agency portal user identity verification, IRS account re-authentication, VA MyHealtheVet re-authentication, and state government portal session re-verification; and Jumio KYX Platform processing biometric probe images through Jumio Biometric Face Match AI for returning-customer step-up authentication and regulated-industry account access verification at banking, cryptocurrency exchange, and telecommunications carrier client platforms — extracting biometric similarity scores, identity match confidence determinations, step-up authentication pass or fail outcomes, and biometric re-identification compliance records from biometric probe image inputs in AI-assisted returning-user identity verification and account takeover fraud prevention pipelines.

The adversarial injection surface is the biometric probe image submission pathway through identity verification API endpoints: Socure AI, IDme AI, or Jumio AI biometric probe images submitted through AI-assisted biometric face match and step-up authentication tools for AI identity match determination record generation and returning-user authentication compliance documentation filing. An adversarially crafted biometric probe image — in which pixel perturbations applied to the facial geometry display region, the periocular landmark position indicators, the facial embedding vector generation input features, or the biometric template comparison normalisation space cause the AI to generate an embedding vector that produces a high cosine-similarity match score against a target enrolled biometric template without the probe image being a genuine capture of the enrolled template subject — enabling identity match confirmation for a user who is not the enrolled identity template holder — can suppress an identity mismatch indicator that would otherwise generate an authentication failure event, a step-up verification escalation, a suspicious activity flag, or a biometric data access audit record. In financial institution and federal agency re-authentication platforms where Socure AI or IDme AI processes biometric probe images without individual fraud investigator review of every AI biometric match determination before the AI classification governs transaction authorisation and high-value account access, adversarial biometric probe injection creates EU GDPR Article 9 special-category biometric data processing, EU AI Act Article 5(b) biometric categorization prohibited practice, BIPA §15(c) biometric data disclosure without consent, and California CPRA §1798.140(ae)(1)(H) sensitive personal information dimensions.

The EU GDPR Article 9, EU AI Act Article 5(b), BIPA §15(c), and CCPA §1798.140 regulatory consequences of adversarially injected biometric re-identification probe classification span EU General Data Protection Regulation Article 9 processing of special categories of personal data prohibition establishing that processing of biometric data for the purpose of uniquely identifying a natural person is prohibited unless the data subject has given explicit consent under Article 9(2)(a), processing is necessary for substantial public interest under Article 9(2)(g), or another Article 9(2) lawful basis applies — adversarial biometric probe injection enabling identity impersonation through corrupted biometric match determination creates GDPR Article 9 special-category biometric processing compliance dimensions for EU-market identity verification platforms, with supervisory authority enforcement powers under Article 83(5) up to €20 million or 4% of global annual turnover; EU AI Act Article 5(1)(b) prohibition on biometric categorization systems that categorize individuals based on their biometric data to deduce or infer their race, political opinions, trade union membership, religious or philosophical beliefs, sex life or sexual orientation — adversarial probe injection enabling cross-reference of biometric probe images against biometric databases in ways that derive sensitive-characteristic categorizations creates Article 5(1)(b) prohibited AI practice dimensions; Illinois BIPA §15(c) prohibition on private entities in possession of biometric identifiers or biometric information from selling, leasing, trading, or otherwise profiting from such biometric data — adversarial biometric probe injection enabling non-consensual cross-platform biometric identity re-identification through compromised embedding vector comparison creates BIPA §15(c) biometric data disclosure without written consent dimensions with private right of action and statutory damages. Threshold: 70 for biometric re-identification probe injection — reflecting EU GDPR Article 9 special-category biometric processing, EU AI Act Article 5(b) prohibited biometric categorization, BIPA §15(c) biometric data disclosure without consent, and CCPA §1798.140(ae)(1)(H) sensitive personal information dimensions.

Integration: biometric identity verification AI image ingestion with Glyphward pre-scan

Biometric identity verification AI image ingestion flows from Jumio AI, Onfido AI, and Veriff AI facial liveness detection capture image processing channels, Socure AI, IDme AI, and Jumio AI identity document scan image processing pipelines, Yoti AI, Veriff AI, and Onfido AI age-estimation facial capture image processing interfaces, and Socure AI, IDme AI, and Jumio AI biometric probe image processing API endpoints into liveness classification AI, document authenticity verification AI, age-gate determination AI, and biometric face match AI pipelines. Insert Glyphward's pre-scan at the ingestion boundary before AI-generated output is committed to KYC CIP identity verification records, onboarding admission decisions, age-gate pass or fail determinations, or biometric face match authentication records:

import asyncio
import base64
import hashlib
import os
import uuid
from enum import Enum
from pathlib import Path

import httpx

GLYPHWARD_API_KEY = os.environ["GLYPHWARD_API_KEY"]
GLYPHWARD_SCAN_URL = "https://glyphward.com/v1/scan"

# Biometric identity verification AI — adversarial pixel injection in facial
# liveness detection captures, identity document scan images, age-estimation
# facial captures, and biometric probe images with BIPA §15, EU AI Act Art.5,
# GDPR Art.9, CCPA §1798.140, COPPA §312.3, and BSA §5318 CIP consequences.

# BIPA 740 ILCS 14/15(b) biometric collection consent; EU AI Act Art.5 prohibited
# practice; CCPA §1798.140(ae)(1)(H) sensitive personal info; BSA §5318(l) CIP.
THRESHOLD_LIVENESS_DETECTION_AI          = 60

# BSA §5318(l) CIP identity verification accuracy; FCRA §1681c consumer report
# accuracy; FATF Recommendation 10 customer due diligence; FinCEN 31 CFR §1020.220.
THRESHOLD_DOCUMENT_SCAN_VERIFICATION_AI  = 65

# COPPA 16 CFR §312.3 parental consent; UK Age Appropriate Design Code Standard 7;
# UK Online Safety Act §11 child protection; KOSA content restriction compliance.
THRESHOLD_AGE_GATE_ESTIMATION_AI         = 55

# EU GDPR Art.9 special-category biometric processing; EU AI Act Art.5(b) prohibited
# biometric categorization; BIPA §15(c) disclosure without consent; CCPA §1798.140.
THRESHOLD_BIOMETRIC_PROBE_AI             = 70


class BiometricVerificationAIContext(str, Enum):
    LIVENESS_DETECTION_AI          = "liveness_detection_ai"           # Jumio, Onfido, Veriff
    DOCUMENT_SCAN_VERIFICATION_AI  = "document_scan_verification_ai"   # Socure DocV, IDme, Jumio KYX
    AGE_GATE_ESTIMATION_AI         = "age_gate_estimation_ai"          # Yoti, Veriff Age Est., Onfido
    BIOMETRIC_PROBE_AI             = "biometric_probe_ai"              # Socure Sigma, IDme Wallet, Jumio


def threshold_for(context: BiometricVerificationAIContext) -> int:
    mapping = {
        BiometricVerificationAIContext.LIVENESS_DETECTION_AI:          THRESHOLD_LIVENESS_DETECTION_AI,
        BiometricVerificationAIContext.DOCUMENT_SCAN_VERIFICATION_AI:  THRESHOLD_DOCUMENT_SCAN_VERIFICATION_AI,
        BiometricVerificationAIContext.AGE_GATE_ESTIMATION_AI:         THRESHOLD_AGE_GATE_ESTIMATION_AI,
        BiometricVerificationAIContext.BIOMETRIC_PROBE_AI:             THRESHOLD_BIOMETRIC_PROBE_AI,
    }
    return mapping[context]


async def scan_biometric_verification_ai_image(
    image_path: str | Path,
    context: BiometricVerificationAIContext,
    session_entity_hash: str,   # SHA-256 of session or user ID (never plaintext PII)
    platform_ref: str,          # e.g. "JUMIO-KYX-2026-ONB-9341", "IDME-IRS-2026-AUTH-0027"
    verification_session_id: str,
    client: httpx.AsyncClient,
) -> dict:
    """
    Scan a biometric identity verification AI image for adversarial injection payloads
    before forwarding to liveness detection, document authenticity verification,
    age-gate estimation, or biometric face match AI.

    Raises AdversarialBiometricVerificationAIImageError if score meets threshold:
      - LIVENESS_DETECTION_AI:          threshold 60; BIPA §15(b); EU AI Act Art.5
      - DOCUMENT_SCAN_VERIFICATION_AI:  threshold 65; BSA §5318(l); FCRA §1681c
      - AGE_GATE_ESTIMATION_AI:         threshold 55; COPPA §312.3; UK Children's Code
      - BIOMETRIC_PROBE_AI:             threshold 70; GDPR Art.9; BIPA §15(c)
    """
    image_bytes    = Path(image_path).read_bytes()
    image_b64      = base64.b64encode(image_bytes).decode()
    image_sha256   = hashlib.sha256(image_bytes).hexdigest()
    client_scan_id = str(uuid.uuid4())
    threshold      = threshold_for(context)

    resp = await client.post(
        GLYPHWARD_SCAN_URL,
        headers={"Authorization": f"Bearer {GLYPHWARD_API_KEY}"},
        json={
            "image": image_b64,
            "source": context.value,
            "metadata": {
                "biometric_context":       context.value,
                "session_entity_hash":     session_entity_hash,
                "platform_ref":            platform_ref,
                "verification_session_id": verification_session_id,
                "client_scan_id":          client_scan_id,
                "image_sha256":            image_sha256,
            },
        },
        timeout=8.0,
    )
    resp.raise_for_status()
    result = resp.json()

    audit_record = {
        "session_entity_hash":     session_entity_hash,
        "platform_ref":            platform_ref,
        "verification_session_id": verification_session_id,
        "biometric_context":       context.value,
        "scan_id":                 result["scan_id"],
        "client_scan_id":          client_scan_id,
        "image_sha256":            image_sha256,
        "score":                   result["score"],
        "flagged_region":          result.get("flagged_region"),
        "threshold":               threshold,
        "action":                  "blocked" if result["score"] >= threshold else "allowed",
    }
    await write_biometric_verification_audit_record(audit_record)

    if result["score"] >= threshold:
        raise AdversarialBiometricVerificationAIImageError(
            f"Biometric verification AI image blocked [{context.value}]: "
            f"scan_id={result['scan_id']} score={result['score']} "
            f"entity={session_entity_hash} ref={platform_ref}"
        )
    return result


async def write_biometric_verification_audit_record(record: dict) -> None:
    """Persist audit record to biometric verification AI regulatory documentation store (stub)."""
    import json, sys
    print(json.dumps(record), file=sys.stderr)


class AdversarialBiometricVerificationAIImageError(Exception):
    """Raised when a biometric verification AI image exceeds the adversarial injection threshold."""
    pass

Call scan_biometric_verification_ai_image() with BiometricVerificationAIContext.LIVENESS_DETECTION_AI before forwarding Jumio AI, Onfido AI, or Veriff AI facial liveness detection capture images to liveness classification AI — with session_entity_hash as the SHA-256 of the onboarding session identifier (never plaintext PII) for BIPA §15(b) biometric collection consent, EU AI Act Article 5 prohibited practice, CCPA §1798.140(ae)(1)(H) sensitive personal information, and BSA §5318(l) CIP identity verification audit trail. Call with BiometricVerificationAIContext.DOCUMENT_SCAN_VERIFICATION_AI for Socure AI DocV, IDme AI, or Jumio KYX identity document scan images before document authenticity verification AI — for BSA §5318(l) CIP compliance, FCRA §1681c consumer report accuracy, and FATF Recommendation 10 customer due diligence audit trail. Call with BiometricVerificationAIContext.AGE_GATE_ESTIMATION_AI for Yoti AI, Veriff AI, or Onfido AI age-estimation facial captures before age-gate determination AI — for COPPA 16 CFR §312.3 parental consent, UK Age Appropriate Design Code Standard 7 age assurance, and UK Online Safety Act §11 child protection compliance. Call with BiometricVerificationAIContext.BIOMETRIC_PROBE_AI for Socure AI Sigma, IDme AI Wallet, or Jumio KYX biometric probe images before biometric face match AI — for EU GDPR Article 9 special-category processing, EU AI Act Article 5(b) prohibited biometric categorization, BIPA §15(c) biometric disclosure consent, and CCPA §1798.140 sensitive personal information compliance. Get early access

Coverage matrix

Tool	Detects adversarial liveness bypass injection	Detects identity document scan injection	Detects age verification bypass	Detects biometric probe injection
Lakera Guard	No (text only)	No (text only)	No (text only)	No (text only)
LLM Guard	No (text only)	No (text only)	No (text only)	No (text only)
Azure Prompt Shields	No (text only)	No (text only)	No (text only)	Text only, Azure-gated
Platform-native (Jumio, Onfido, Socure)	No adversarial pixel injection detection	No adversarial pixel injection detection	No adversarial pixel injection detection	No per-request PI evidence
Glyphward	Yes — pixel-level liveness capture perturbation detection; threshold 60; session_entity_hash audit trail	Yes — pixel-level MRZ/document field injection detection; threshold 65; platform_ref audit trail	Yes — pixel-level age-feature perturbation detection; threshold 55; verification_session_id audit	Yes — pixel-level biometric embedding probe injection detection; threshold 70; scan_id per request

Related questions

What is the difference between a liveness detection bypass and a deepfake attack on biometric identity verification AI?

A liveness detection bypass attack targets the liveness classifier specifically — attempting to cause the AI to classify an inauthentic presentation (a printed photograph, a digital screen showing a recording, or a three-dimensional silicone mask) as a live human face. A deepfake attack, by contrast, uses generative AI to create a synthetic video or image of a target person's face that appears visually convincing and then presents that synthetic media to both the liveness classifier and the biometric face match classifier simultaneously.

Adversarial pixel injection differs from both: rather than constructing a visually convincing presentation, it applies imperceptible pixel perturbations to an existing image (which may or may not be a deepfake) that specifically target the vulnerability of the liveness classifier's neural network decision boundary — causing the classifier to output a high liveness confidence score for an image that a human reviewer would immediately identify as a flat photograph. For Jumio AI, Onfido AI, and Veriff AI liveness detection systems, adversarial pixel injection on the facial skin texture region and periocular specular reflection pattern can cause the liveness AI to return liveness confidence scores above its pass threshold for a printed photograph. The attack surface is the AI classifier's learned decision boundary, not the visual quality of the presentation — making it orthogonal to deepfake detection and not addressable by standard presentation attack detection (PAD) mechanisms that check for screen reflections or depth signals. Glyphward pre-scan at the liveness detection AI ingestion boundary at threshold 60 provides the pixel-level adversarial injection detection that liveness detection AI systems require before the AI classification governs KYC CIP identity verification admission.

Why does BIPA apply to identity verification AI used by financial institutions and how does adversarial injection create BIPA liability?

Illinois Biometric Information Privacy Act 740 ILCS 14/ applies to any private entity that collects, captures, purchases, receives through trade, or otherwise obtains biometric identifiers or biometric information from Illinois residents — defined in 740 ILCS 14/10 to include a retina or iris scan, fingerprint, voiceprint, hand scan, face geometry, or any other unique biological characteristic. Financial institutions using Jumio AI, Onfido AI, or Socure AI for KYC identity verification that involve facial geometry capture — including biometric face match comparison of a new customer selfie against an identity document photograph — are collecting face geometry biometric identifiers subject to BIPA §15(b) consent and retention requirements. BIPA §15(b) requires that before collection, the private entity must inform the subject in writing of the purpose and length of collection and obtain a written release. BIPA §15(a) requires a publicly available retention schedule and guidelines for destroying biometric data. BIPA §15(d) prohibits disclosure of biometric data without consent. BIPA §15(e) requires reasonable care to protect biometric data from disclosure consistent with reasonable and appropriate standards for protection of sensitive confidential information.

Adversarial injection creates BIPA liability in two ways. First, adversarial liveness bypass enabling fraudulent onboarding using a photograph of another person's face causes the legitimate face geometry holder's biometric data to have been used in the platform's BIPA-covered biometric verification process without their consent or knowledge — creating a §15(b) collection consent violation for the third party whose face was used. Second, adversarial probe injection corrupting biometric face match comparisons may enable non-consensual biometric re-identification across platforms — creating §15(c) and §15(d) disclosure without consent dimensions. BIPA private right of action provides statutory damages of $1,000 per negligent violation or $5,000 per intentional or reckless violation, has produced class action settlements exceeding $650 million against Facebook, $92 million against TikTok, $75 million against BNSF Railway, and $40 million against Google, and has no statutory cap on class damages. Glyphward pre-scan at the liveness detection AI ingestion boundary at threshold 60 and at the biometric probe AI boundary at threshold 70 provides the pixel-level adversarial injection detection that financial institution biometric identity verification AI systems require for BIPA §15 compliance.

How does the EU AI Act Article 5 prohibited practices framework affect biometric identity verification AI deployed in the European Union?

EU AI Act Article 5 establishes a category of prohibited AI practices that member states must prohibit and subject to penalties up to €30 million or 6% of total worldwide annual turnover for violations — covering AI systems that deploy subliminal techniques to materially distort human behaviour causing harm (Article 5(1)(a)), exploit vulnerabilities due to age, disability, or social or economic situation to distort behaviour causing harm (Article 5(1)(b)), categorize natural persons based on biometric data to deduce or infer sensitive characteristics including race, political opinions, trade union membership, religious or philosophical beliefs, sex life or sexual orientation (Article 5(1)(c)), conduct real-time remote biometric identification of natural persons in publicly accessible spaces by law enforcement (Article 5(1)(h) with exceptions), and create or expand facial recognition databases through untargeted scraping of facial images from the internet or closed-circuit television footage (Article 5(1)(e)).

For biometric identity verification AI deployed in the European Union, the Article 5 prohibitions create constraints on: biometric categorization systems that infer sensitive characteristics from facial imagery (Article 5(1)(c)) — Socure AI, IDme AI, or Onfido AI systems that derive sensitive attribute classifications from facial feature analysis as part of identity risk scoring create Article 5(1)(c) prohibited AI practice dimensions; and real-time remote biometric identification systems used by private entities in publicly accessible spaces that exceed the Article 5(1)(h) law enforcement exception scope — applicable to Veriff AI or Jumio AI deployed in physical premises access control contexts. Adversarial probe injection enabling cross-platform biometric re-identification through corrupted face match comparison creates Article 5(1)(e) database-expansion dimensions where the adversarial attack causes biometric probe images to generate embedding vectors that match against biometric templates of persons who did not consent to re-identification across platforms. Glyphward pre-scan at the biometric probe AI ingestion boundary at threshold 70 provides the pixel-level adversarial injection detection that EU-market biometric identity verification AI systems require for EU AI Act Article 5 prohibited practice compliance.

What COPPA obligations apply to age-gate AI used by platforms to restrict minor access to age-restricted services?

Children's Online Privacy Protection Act Rule 16 CFR Part 312 applies to operators of websites or online services directed to children under thirteen, and to operators with actual knowledge that they are collecting personal information from a child under thirteen — requiring verifiable parental consent before collecting, using, or disclosing personal information from covered children. For age-gated platforms using Yoti AI, Veriff AI Age Estimation, or Onfido Age Estimation to determine whether a user meets the platform's age threshold, the COPPA obligation structure depends on the platform's age-gate design: if the platform uses age-gate AI as a means to establish that a user is thirteen or older, and the age-gate AI is bypassed by adversarial injection, the platform may be collecting personal information from children under thirteen without the actual knowledge trigger that would require parental consent — creating a structural COPPA compliance gap where the adversarially bypassed age-gate eliminates the signal that would trigger parental consent obligations.

The FTC's COPPA enforcement against platforms that fail to implement effective age-gate mechanisms has expanded beyond traditional website-directed-to-children liability: the FTC has taken action against platforms where design features de facto attracted children to age-restricted services despite nominal adult age-gate controls. For age-gate AI systems processing facial age-estimation images, the standard COPPA safe harbour analysis relies on the age-gate actually working as designed — providing a meaningful barrier to underage access. Adversarial bypass of facial age-estimation AI at Yoti AI, Veriff AI, or Onfido AI that allows a minor to obtain an age-pass determination despite meeting adversarial injection threshold 55 eliminates the age-gate's COPPA safe harbour function, creates FTC actual knowledge attribution dimensions for the platform once the bypass is discovered, and generates civil penalty exposure up to $51,744 per COPPA violation. Glyphward pre-scan at the age-gate estimation AI ingestion boundary at threshold 55 provides the pixel-level adversarial injection detection that platforms relying on facial age-estimation AI for COPPA compliance require before the AI classification governs underage content access decisions.

How does IDme AI's federal agency deployment scale create distinct adversarial injection risk compared to commercial biometric identity verification platforms?

IDme AI serves 100 million or more enrolled Americans across 20 or more federal agencies including the Internal Revenue Service, Veterans Administration, Social Security Administration, Department of Labor, and Centers for Medicare and Medicaid Services, and 30 or more state governments for unemployment insurance, professional licence, and tax authority access — creating a distinct adversarial injection risk profile driven by the concentration of high-value federal benefit access and tax account access behind a single biometric identity verification platform, the federal agency data sensitivity of Social Security Administration (SSA) account access, IRS MyAccount and IP PIN application access, VA MyHealtheVet medical record access, and CMS Medicare beneficiary account access, and the criminal liability framework applicable to fraudulent access to federal benefits and tax accounts under 18 USC §641 (theft of public money), 18 USC §1030 (computer fraud and abuse), 18 USC §1343 (wire fraud), 26 USC §7206 (fraud and false statements to the IRS), and 38 USC §5313B (misuse of veterans benefits).

For IDme AI specifically, adversarial liveness detection bypass at threshold 60 enabling fraudulent onboarding creates IRS tax account takeover dimensions (26 USC §7206 false statement to IRS; identity theft tax fraud resulting in unauthorised tax refund filing), VA benefits fraud dimensions (38 USC §5313B misuse of veterans benefits; disability rating manipulation through fraudulent access to VA eHealth Exchange), SSA account takeover dimensions (fraudulent benefit redirection and direct deposit modification), and state unemployment insurance fraud dimensions (fraudulent continued certification and benefit disbursement). The federal criminal exposure applicable to IDme AI adversarial bypass fraud — as distinct from commercial identity verification platform fraud — includes 18 USC §1030 Computer Fraud and Abuse Act liability for unauthorised access to federal agency computer systems, potentially adding felony CFAA charges to underlying benefits fraud statutes. Glyphward pre-scan at the IDme AI liveness detection and document scan verification AI ingestion boundaries at thresholds 60 and 65 provides the pixel-level adversarial injection detection that federal agency biometric identity verification pipelines require before AI classifications govern IRS, VA, SSA, and state government account access.