I talk endlessly about presentation attack detection independent testing, but I occasionally discuss injection attack detection independent testing also, who performs the test (as more entities do so), and who has been tested.
- Ingenium tested iProov.
- Ingenium also tested FaceTec.
- And as I just noted, BixeLab tested Aware.
The testing entities perform the test according to the European Committee for Standardization (CEN) standard CEN/TS 18099:2025.
“This document provides an overview of:
– Definitions of biometric data injection attacks;
– Use cases for injection attacks with biometric data on essential hardware components of biometric systems used for enrollment and verification;
– Tools for injection attacks on systems using one or more biometric modalities.
This document provides guidance for:
– Injection Attack Instrument Detection System (defined in 3.12);
– adequate risk mitigation for injection attack tools;
– Creation of a test plan for the evaluation of an injection attack detection system (defined in 3.9).”
And Ingenium and BixeLab have developed their own testing methods.
iBeta and Injection Attack Detection Testing
And if you need a third choice of a testing lab, there is one. Via a sponsored post, iBeta joined the party.
“A new testing solution from iBeta Quality Assurance meets a growing need for evaluations of injection attack detection (IAD) products. The lab’s IAD testing launches today, and will be part of what iBeta showcases at Identity Week 2026 in Amsterdam next week. It includes testing up to Level 3, against the European standard CENS/TS 18099: 2025, across multiple platforms. And it presages the planned 2027 publication of the ISO/IEC standard dedicated to injection attack testing. iBeta will release a IAD testing solution for the ISO standard when it is released.”
Changes
The Biometric Update quote about the forthcoming ISO/IEC standard illustrates the challenge in testing when standards change, and new standards are adopted.
Something the Kantara Initiative recently addressed:
“Kantara Initiative announces the formal publication of the Kantara Initiative International Assurance Program: SP 800-63A-4 Service Assessment Criteria (SAC) & Statement of Criteria Applicability (SoCA), aligned to NIST Special Publication 800-63A Revision 4 – Identity Proofing.
“Following completion of the public review process and consideration of community feedback, the assessment criteria have been finalized and are effective immediately.”
NIST Special Publication 800-63A Revision 4 is the successor to Revision 3. Kantara Initiative previously offered assessments against the older standard, and can now assess against the newer one.
This illustrates the ripple effect of standards revisions…and in the case of injection attack detection, upcoming new standards.
Bredemarket 