Identy.io Achieves Zero Attack Acceptance in DHS RIVR Face Liveness Evaluation, Leads Field on Speed and User Satisfaction

DOVER, Del.--(BUSINESS WIRE)--Identy.io today announced its results in the Active PAD evaluation of the 2025 Remote Identity Validation Rally (RIVR), conducted by the U.S. Department of Homeland Security (DHS) Science and Technology Directorate at the Maryland Test Facility (MdTF). Unlike the Passive PAD evaluation, which processes previously acquired samples, the Active PAD evaluation assesses the complete capture process with real users, capturing not only the effectiveness of the liveness system but also transaction time and user satisfaction.

RIVR exposes the limits of liveness technology. Identy.io coming out with zero attack acceptance is the result of building security and usability as a single problem, not two competing ones. Jesús Aragón, CEO of Identy.io

Share

Identy.io (PAD-A2) led the field in security, efficiency, and satisfaction:

• Security — Zero attacks accepted (0% APCER) across all attack classes: Not a single attack got through — across all three classes and both operating systems, including Class C attacks that demand specialized hardware and significant attacker resources. The significance of this result becomes clear in context: Identy.io was the only system across the entire evaluation — active and passive — to achieve 0% APCER, while several remained vulnerable to Class A attacks, the simplest and most accessible attack type.
• Satisfaction — Highest rate among all evaluated systems: Identy.io achieved the highest satisfaction scores in the evaluation, exceeding the 95% satisfaction goal.
• Efficiency — Fastest among all evaluated systems: Identy.io recorded the lowest average transaction time of all evaluated systems, and was the only one to meet the 20-second performance goal.

High satisfaction and fastest transaction times are no coincidence: they reflect Identy.io's obsession with usability alongside security, and are the result of deliberate design choices. Identy.io's liveness detection is entirely passive, requiring no gestures or user actions, and the false rejection rate achieved confirms that security was not gained at the expense of convenience: BPCER remained very low on Android at 3.4%, with iOS just 1 percentage point above the 5% threshold.

"RIVR puts liveness technology under conditions designed to expose its limits — three attack classes, independent scoring, genuine captures. Coming out with zero attack acceptance across all of them, while also leading on speed and satisfaction, is not a tradeoff. It is the result of building security and usability as a single problem, not two competing ones."

— Jesús Aragón, CEO and Founder, Identy.io

Identy.io's full results for PAD-A2 are publicly available at https://mdtf.org/rivr/Results

Independent validation: a proven track record

The RIVR results extend a track record of security and outstanding usability. Identy.io's face biometrics technology had previously achieved 0% APCER and 0% BPCER in iBeta ISO 30107-3 Level 1 and 2 testing — equivalent to Class A and Class B attacks in the RIVR framework. With the RIVR, Identy.io went further — demonstrating maximum security against the most costly and resource-intensive attacks included in the evaluation.

Liveness as part of Identy.io's defense-in-depth

Liveness detection over already-captured images is no longer sufficient. The fast-growing threat today is injection: synthetic content fed directly into the video stream with no presentation artifact or effect to detect. Its scalability and low barrier to entry make it particularly dangerous. Therefore, controlling and protecting the capture process is now the critical layer, something a passive system working on already-captured images cannot do.

Identy.io's capture prevents injection and also includes deepfake detection to identify AI-generated synthetic faces. Each layer targets a different attack vector and if one is bypassed, the others hold.

About Identy.io

Headquartered in the US with offices in Brazil, Mexico, Colombia, Nigeria, Spain and India, Identy.io is the global reference in digital identity using mobile-first multimodal biometric authentication and identity management through ABIS. Trusted by government and corporate customers worldwide, the company has secured over one billion identity transactions across banking, telecommunications, government, and healthcare sectors. For more information, visit https://identy.io

This information was determined based on demonstrations and assessments conducted at the Maryland Test Facility as part of the Remote Identity Validation Rally held in 2025 under a Cooperative Research and Development Agreement. The views and/or conclusions contained in this document are those of the author(s) and should not be interpreted as necessarily representing the official policies, either expressed or implied, of the U.S. Department of Homeland Security (DHS), and do not constitute a DHS endorsement of the equipment tested or evaluated.