rPPG Spoofing and Liveness Detection: Separating Live Faces from Fakes

Face recognition systems secure phones, border crossings, and bank logins. They're increasingly reliable at identifying who you are. But they're historically vulnerable to a different question: are you alive?

Printed photo attacks, video replay attacks, and 3D silicone masks can fool many facial recognition systems. The attacker presents a face that looks correct but doesn't breathe, blink naturally, or have blood flowing through it.

Remote PPG offers a physiologically grounded answer. Live skin pulses with each heartbeat. Photos and videos of faces don't — or at least, don't pulse with the same spectral and temporal properties as genuine perfused tissue.

The Spoofing Problem in Face Biometrics

Face anti-spoofing (FAS) is a mature research area with an established taxonomy of attacks:

• Print attacks: A high-resolution photo held in front of a camera
• Replay attacks: A video of a genuine face played on a screen
• 3D mask attacks: Silicone or rigid masks with realistic facial features
• Deepfake attacks: Synthetically generated face video replacing a real person's live feed

Traditional FAS approaches rely on texture analysis (fake faces have different microscopic texture), depth estimation (flat photos have no 3D structure), or blink/motion detection (which can be fooled by video replay).

rPPG-based liveness detection adds a physiological layer: does the face show the spectral-temporal signature of live vasculature?

Why Live Skin Is Spectrally Unique

When blood flows through facial capillaries, it causes rhythmic changes in the skin's light absorption at specific wavelengths. The green channel shows the strongest pulsation signal (hemoglobin absorption peak ~540 nm). This signal is:

• Spatially distributed: Present across forehead, cheeks, nose, and neck simultaneously, with specific spatial patterns
• Temporally coherent: All regions pulse at the same heart rate (with measurable propagation delays)
• Spectrally constrained: The amplitude ratio across wavelengths follows Beer-Lambert predictions for hemoglobin

A printed photo or screen replay might show a face, but it won't show this specific multivariate spectral-temporal pattern. A screen displays colors at roughly constant intensity between frames (any temporal variation is the display's own refresh artifacts, not biology). A printed photo has no temporal variation at all.

rPPG-Based Anti-Spoofing Methods

Passive Spectral Analysis

The simplest approach: look for a heartbeat signal in the face video. If no rPPG signal is present, declare the input a spoof.

This works surprisingly well against basic print attacks. Liu et al. (2018, DOI: 10.1145/3240508.3240533) demonstrated 98% spoofing detection accuracy on replay and print attacks in controlled lighting.

The limitation is that this simple "no pulse = fake" criterion is vulnerable to adversarial manipulation. A sophisticated attacker could modulate a screen's backlight at realistic cardiac frequencies to synthesize a fake rPPG signal.

Multi-Region Spatial Coherence

Live faces don't just show a pulse — they show spatially coherent, physiologically plausible pulse propagation. The forehead region typically shows the pulse slightly before the cheek, due to vascular propagation speed. Different facial regions show slightly different pulse amplitudes based on local vascularity.

Fake faces have no reason to show this specific spatial coherence pattern. Screens displaying video would show approximately uniform brightness fluctuation. Even a sophisticated adversary trying to generate a fake rPPG signal would struggle to replicate the exact spatial coherence pattern of real vasculature.

This approach was formalized by Li et al. (2016, DOI: 10.1109/TIFS.2016.2532548) as "rPPG Map" anti-spoofing, showing improved performance over single-region methods.

Cross-Channel Spectral Ratio Analysis

Live skin has a specific ratio of pulsation amplitude across the R, G, and B channels determined by hemoglobin's spectral absorption. This ratio is essentially independent of lighting conditions and skin tone (to first order).

A screen displaying a face video has spectral characteristics determined by the display's phosphors or LCD filters, not hemoglobin. The cross-channel ratios will differ from those of live skin in a spectrally distinct way.

Deep Learning End-to-End Detection

Several CVPR and ICCV papers since 2020 have demonstrated end-to-end deep learning systems that jointly learn rPPG extraction and liveness classification. These systems implicitly learn to use rPPG-relevant features without explicit handcrafted spectral analysis.

Yu et al.'s TransFAS framework (2023, DOI: 10.1109/TPAMI.2023.3247589) combined rPPG auxiliary supervision with a ViT backbone for face anti-spoofing, achieving state-of-the-art performance on multiple FAS benchmarks (OULU-NPU, SiW, CASIA-FASD).

Limitations and Adversarial Attacks

rPPG-based liveness detection is not foolproof.

Deepfakes with synthetic rPPG: Generative adversarial networks and diffusion models can now synthesize photorealistic face video. Researchers have demonstrated deepfakes that include a synthetically generated rPPG signal, modulating the face color at plausible cardiac frequencies. Li et al. (2022) demonstrated that 40% of a popular rPPG-based liveness detector could be defeated by rPPG-modulated deepfakes.

3D mask attacks with tissue-like materials: Silicone masks with vasculature-mimicking spectral properties are theoretically possible. In practice, these remain extremely sophisticated and expensive attacks beyond most real-world threat models.

Adversarial illumination control: An attacker controlling the room lighting could modulate ambient light at cardiac frequencies, potentially mimicking the spectral signature of real skin pulsation.

Cross-dataset generalization: rPPG-based FAS systems trained on one database often fail on others due to differences in camera, lighting, and subject demographics. This limits deployment reliability.

Combining rPPG with Other Liveness Signals

The most robust face anti-spoofing systems combine multiple modalities:

• rPPG + depth: 3D face structure is difficult to spoof simultaneously with plausible physiology
• rPPG + blink dynamics: Natural blink timing and eye moisture have distinct signatures
• rPPG + micro-expression: Spontaneous micro-expressions co-vary with autonomic nervous system activity
• rPPG + thermal: Live faces emit heat from vascular activity; masks and screens don't match this profile

This multi-modal approach substantially raises the attacker's burden. Each additional biometric channel requires independent spoofing, and the combination becomes exponentially harder to defeat.

Regulatory and Deployment Context

Face anti-spoofing with rPPG is deployed in:

• Mobile banking (several Asian banks use rPPG liveness checks during KYC)
• Border control (NIST FRVT evaluates FAS as part of face recognition system testing)
• Enterprise access control (Windows Hello and similar systems incorporate liveness detection)

The ISO/IEC 30107 standard series defines presentation attack detection (PAD) requirements and testing methodology. ISO 30107-3 specifies the biometric evaluation methodology including attack presentation classification error rates (APCER) and bona fide presentation classification error rates (BPCER).

rPPG-based methods are listed as a Category 2 (software-based) PAD mechanism. Most production systems combine rPPG with Challenge-Response tests (instruct the user to perform specific head movements or expressions) for higher assurance.

Related Resources

• rPPG Algorithms Deep Dive — how rPPG extraction works
• Facial PPG Signal Extraction — signal extraction from face regions
• rPPG Privacy Considerations — ethical context for rPPG deployment
• PPG Deep Learning Heart Rate — ML approaches in PPG
• PPG Explainable AI Interpretability — interpretable ML for physiological signals

Frequently Asked Questions

Can rPPG detect if a face is a deepfake? rPPG can help detect some deepfakes by looking for the physiological blood volume pulse signal. However, advanced deepfakes with synthetically generated rPPG signals can potentially defeat simple rPPG-based detectors. Multi-modal approaches combining rPPG with depth and motion signals are more robust.

How does rPPG liveness detection work? The system analyzes subtle color changes in face video to detect the periodic signal from blood pumping through facial blood vessels. Live faces show this heartbeat signal; printed photos, screen replays, and most masks don't — or show spectrally incorrect imitations.

Can a screen showing a face fool rPPG liveness detection? A plain screen showing face video will not show the correct rPPG spectral pattern. However, a sophisticated adversary could modulate a screen's backlight at realistic cardiac frequencies, partially defeating simple rPPG detectors. This requires deliberate effort and knowledge of the detection method.

Is rPPG liveness detection FDA approved? rPPG liveness detection is not separately FDA regulated — it's a security/biometric function rather than a medical device. For medical vital signs measurement from cameras, FDA 510(k) clearance is typically required.

What attacks can defeat rPPG-based liveness detection? rPPG-modulated deepfakes, adversarial illumination modulation, and (theoretically) vasculature-mimicking silicone masks can defeat rPPG detectors. In practice, the most sophisticated current attacks are rPPG-aware deepfakes. Real-world deployments combine rPPG with depth, challenge-response, and other modalities.