CEN/TS 18099: The Standard That Proves Injection Attack Resilience

In our previous post, we explored how the updated NIST SP 800-63-4 Digital Identity Guidelines are raising the bar for biometric verification. iProov was the first vendor to demonstrate Deepfake Resilience under the new guidelines.

One requirement stood out in the NIST guidelines: organizations must now prove resistance to both presentation attacks and deepfake injection attacks. That latter category is where many vendors go quiet.

NIST, the European Union Agency for Cybersecurity (ENISA), France’s ANSSI, and Germany’s BSI have all raised the alarm on the risks of injection attacks. Our own threat intelligence shows they grew 740% on iOS in 2025. Unlike presentation attacks, which require a physical presence, injection attacks can be automated and scaled across thousands of attempts simultaneously.

CEN/TS 18099 finally provides the independent validation framework to prove deepfake injection attack resilience, moving beyond vendor-led claims.

Why The New Standard Was Needed

Presentation Attack Detection (PAD) has well-established testing frameworks. ISO/IEC 30107 defines how to evaluate whether a biometric system can detect photos, masks, and video replays held up to a camera. 

PAD certification has become table stakes; injection attacks are more sophisticated. A vendor can hold PAD certification and still have zero resilience to injection attacks. The two attack vectors require fundamentally different testing methodologies. ISO 30107 was not designed to address this threat category.

When we examine how many vendors address injection attacks, responses typically fall into three categories: internal testing documentation, architectural diagrams with reassuring arrows, or “spoof bounty” programs in non-production environments. These evaluations frequently rely on proprietary frameworks not developed by recognized standards bodies, meaning results cannot be compared across solutions.

This is important because injection attacks are designed to evade detection. They don’t trigger the same alerts as presentation attacks. Organizations can experience systematic compromise without knowing it. Onboarding still works, conversion metrics look healthy, and fraud scales quietly until someone asks for proof.

Injection attacks are sophisticated because they operate on two fronts simultaneously: the delivery mechanism is designed to be invisible to the application, while the injected content is engineered to fool whatever checks sit on the other end — defending against one without the other leaves organizations exposed.

The European Committee for Standardization (CEN) recognized this gap and developed CEN/TS 18099: the first formal technical specification dedicated to testing biometric systems against injection attacks. 

How CEN/TS 18099 Works

The standard distinguishes between two components of an injection attack:

• Injection Attack Method (IAM): How the attack is delivered. This includes exploiting software libraries, manipulating network traffic, using emulators, or hooking into system functions to intercept and replace biometric data.
• Injection Attack Instrument (IAI): What gets delivered. The synthetic face, deepfake video, or manipulated image sequence that the attacker wants the system to accept as genuine.

Evaluators attempt to establish multiple attack methods against the target system. Where attack methods succeed, they then deliver a range of attack instruments to assess detection capabilities.

This two-stage approach reveals where defenses actually operate. Some systems may allow attack methods to be established, but detect malicious instruments. Others may block the attack pathway itself, preventing instrument delivery entirely. The distinction matters for understanding the depth of protection provided.

What Did iProov’s Solution Evaluation Reveal?

iProov submitted Dynamic Liveness to independent evaluation by Ingenium Biometric Laboratories, an ISO/IEC 17025-accredited facility that serves as the UK’s independent biometrics laboratory for the National Protective Security Authority. Testing was conducted against Ingenium’s Level 4 Injection Attack Detection requirements, which exceed CEN/TS 18099’s highest level (CEN High) in scope and rigor.

Ingenium Level 4 builds on the requirements outlined in CEN/TS 18099, providing increased assurance through extended testing and complex attack types. The 40-day evaluation assessed at least three distinct injection attack methods and fifteen attack instruments. 

During the testing, no injection attack method could be successfully established. Because the attack pathways were blocked, the laboratory never progressed to delivering the attack instruments. The synthetic faces and deepfake videos had nowhere to go.

This represents a fundamentally different security posture. Rather than attempting to detect malicious content after it enters the system, Dynamic Liveness prevents the injection pathway from being established in the first place.

Critically, this level of protection was achieved without sacrificing user experience. The Bona Fide Presentation Classification Error Rate (BPCER) –  the rate at which legitimate users are incorrectly rejected – was just 1.3%, well below the 15% threshold required by the standard.

Dynamic Liveness is the first and only solution to achieve an Ingenium Level 4 evaluation.

Beyond CEN: The Broader Validation Picture

CEN/TS 18099 addresses injection attacks specifically, but comprehensive identity assurance requires validation across multiple threat categories. For organizations building procurement criteria around NIST 800-63-4, the full picture includes:

• PAD validation: ISO/IEC 30107-3 conformance through accredited testing (such as iBeta Levels 1 & 2) and FIDO Face Verification Certification for presentation attacks, including presented deepfakes.
• IAD validation: CEN/TS 18099 evaluation for injection attack resilience.
• Operational security: ISO 27001, SOC 2, and CSA STAR certification for data protection and security processes.
• Inclusivity: WCAG 2.2 AA conformance and Section 508, the best-practice standard for accessibility across digital experiences.

Together, these provide the evidence base NIST requires: not vendor assertions, but third-party validation across the threat landscape organizations face.

Closing Thoughts on CEN/TS 18099 and The “Validation Gap” 

CEN/TS 18099 represents the benchmark for injection attack testing, but the regulatory direction is global. ISO 25456, currently under development, will extend injection attack detection requirements internationally. Organizations that align now position themselves ahead of regulatory pressure rather than scrambling when requirements tighten.

For security architects, procurement teams, and compliance leaders, the question has changed: it’s no longer enough to ask whether a vendor has deepfake detection. The question is whether they can prove, through independent, standards-aligned testing, that their solution defeats the deepfake injection attacks now highlighted in the NIST Digital Identity Guidelines.

The question that cuts through vendor claims is simple: which independent lab tested that capability, against which standard, and at what level? If there’s no published answer, the capability isn’t verified. It’s assumed.

With iProov, the evidence is published, the methodology is transparent, and the results are available for review. 

Can your current provider say the same?

• To learn more about iProov’s CEN/TS 18099 evaluation or request the independent Ingenium report, contact us.
• Learn more about biometric and identity certifications and why they matter.