Certifications
Certifications
iProov takes compliance very seriously and complies with a vast array of industry standards.
FIDO Alliance
iProov Dynamic Liveness® is the world’s first FIDO-certified solution for remote Face Verification,
accredited by Ingenium Biometrics.
What is the FIDO Face Verification Certification?
The FIDO Face Verification Certification is the most rigorous evaluation program that assesses the reliability, usability, and security of remote identity verification systems.
Why does the FIDO Face Verification matter?
Dynamic Liveness has undergone extensive evaluation of its face-matching and liveness detection capabilities, in accordance with the ISO 19795 and ISO 30107 standards. The technology blocked every type of presentation attack, such as photos, masks, face morphs, videos, and presented deepfakes.
The FIDO certification confirms the solution’s robustness, affirming its unparalleled defense against evolving threats throughout the entire identity lifecycle. It sets a quality standard and highlights vendors’ abilities to protect consumers from presentation attacks and presented deepfakes, replacing proprietary attack mitigation claims with independently verified performance metrics for Imposter Attack Presentation Match Rate (IAPMR) and False Rejection Rate (FRR).
iBeta
ISO 30107-3 tested by iBeta
iProov’s Dynamic Liveness and Express Liveness® technology conforms with ISO/IEC 30107-3:2017 for testing Presentation Attack Detection (PAD) Levels 1 and 2.
What is iBeta ISO/IEC 30107-3 testing?
iBeta is a NIST NVLAP-accredited biometrics testing lab (NVLAP Testing Lab Code 200962-0). iBeta Quality Assurance conducted PAD testing in accordance with ISO/IEC 30107-3. ISO/IEC 30107-3:2017 establishes:
- Principles and methods for performance assessment of presentation attack detection mechanisms;
- Reporting of testing results from evaluations of presentation attack detection mechanisms;
- Classification of known attack types
Why does the iBeta certification matter?
iBeta has been conducting biometric testing as an independent third-party laboratory since 2012. During their testing of iProov’s technology, iBeta was not able to gain unauthorized access with Presentation Attacks (PA’s), yielding an overall PA success rate of 0%, which equates to the overall combined Imposter Attack Presentation Match Rate (IAMPR) of 0%. This provides benchmark, audit-ready evidence that the system can distinguish live users from high-quality photos, videos, and masks. Independent testing reinforces the security of iProov assurance solutions.
ISO/IEC 19795-1:2006
iProov technology conforms with ISO/IEC 19795-1:2006 and is audited by the UK National Physical Laboratory (NPL).
What is ISO/IEC 19795-1:2006?
NPL develops and improves methodologies for evaluating the performance of biometric systems, conducting evaluations and technical consultancy on biometric system performance, to lead to a more robust and accurate recognition. iProov’s methodology for testing biometric verification performance conforms to the relevant requirements of ISO/IEC 19795-1:2006, and these methodologies for testing presentation attack detection conform to ISO/IEC 30107-3:2017.
What does ISO/IEC 19795-1:2006 conformance mean?
This certification validates that iProov’s principles and methods maintain the effectiveness of its presentation attack mechanisms, which are conformant to ISO/IEC 19795-1:2006.
ISO/IEC 19795-1:2006
iProov technology conforms with ISO/IEC 19795-1:2006 and is audited by the UK National Physical Laboratory (NPL).
What is ISO/IEC 19795-1:2006?
NPL develops and improves methodologies for evaluating the performance of biometric systems, conducting evaluations and technical consultancy on biometric system performance, to lead to a more robust and accurate recognition. iProov’s methodology for testing biometric verification performance conforms to the relevant requirements of ISO/IEC 19795-1:2006, and these methodologies for testing presentation attack detection conform to ISO/IEC 30107-3:2017.
What does ISO/IEC 19795-1:2006 conformance mean?
This certification validates that iProov’s principles and methods maintain the effectiveness of its presentation attack mechanisms, which are conformant to ISO/IEC 19795-1:2006.
European GDPR (General Data Protection Regulation) (EU) 2016/679 & UK Data Protection Act 2018
iProov solutions comply with the highest level of privacy protection in the world: European GDPR (General Data Protection Regulation) (EU) 2016/679 and the UK Data Protection Act 2018.
What are the EU GDPR and the UK Data Protection Act?
EU GDPR: The General Data Protection Regulation is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. The GDPR is an important component of EU privacy law and of human rights law, in particular, Article 8 of the Charter of Fundamental Rights of the European Union. UK Data Protection Act: The Data Protection Act 2018 controls how your personal information is used by organizations, businesses, or the government. The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR).
Why does GDPR and UK Data Protection matter?
Being compliant with GDPR and UK Data Protection demonstrates iProov’s robust data policies and processes, and a strong understanding of privacy regulations.
eIDAS
eIDAS EN 319-401, plus modular certifications; eSig to Qualified level and eID assurance High. Due to annual eIDAS audits, also conformant to AMLD5 Article 24 (1)d. For this requirement, our Trust Service Practice Statement is publicly available.
What is eIDAS?
eIDAS (electronic IDentification, Authentication and trust Services) is an EU regulation on electronic identification and trust services for electronic transactions in the European Single Market. Independent conformity assessment is under Regulation (EU) 910/2014 as amended by Regulation (EU) 2024/1183 (eIDAS 2), which introduces the European Digital Identity Wallet (EUDI Wallet) framework.
Why does eIDAS conformance matter?
iProov-powered solutions conform to ETSI EN 319 401 and ETSI EN 319 411-1/2, certified by independent auditors, including TÜV Austria CERT GmbH and Ernst & Young for conformance to eIDAS Clause 23 (d). In addition, iProov modular certification has been audited to the Qualified level for eSig and Assurance level High for eID. iProov also conforms to AMLD5 Article 24 (1) d. These robust audits provide confidence in the rigor and strength of the solutions, minimize organizations’ operational overheads from separate audit processes, and speed up time to market.
ETSI TS 119 461
iProov conforms to ETSI TS 119 461 for Remote Identity Proofing, supporting the technical requirements for achieving Substantial and High Levels of Assurance (LoA) under Regulation (EU) 910/2014 as amended by Regulation (EU) 2024/1183 (eIDAS 2).
What is ETSI TS 119 461?
ETSI TS 119 461 is the European technical standard for Remote Identity Proofing. It defines the policy and security requirements for trust service components used to verify identity without physical presence.
What does ETSI TS 119 461 conformance mean?
ETSI TS 119 461 provides a standardized, audit-ready framework for remote onboarding without physical presence. It supports AML/KYC compliance and alignment with EU supervisory expectations for high-assurance digital identity.
UK DIATF (Gamma)
iProov is certified under the UK Digital Identity and Attributes Trust Framework (DIATF) version 0.4 gamma, assessed by Kantara as the Conformity Assessment Body. The certificate of conformity was issued on 16 October 2025 and is valid through 16 October 2028. See our gov.uk page on the digital identity and attribute services here for more information.
What is UK DIATF?
DIATF is the UK government framework that sets the rules for secure and trustworthy digital identity and attribute services. Certification is granted following independent assessment by an accredited Conformity Assessment Body and is published on the official gov.uk register.
Why does iProov’s DIATF certification matter?
iProov ID is certified as an Identity service in the Holder role, configured as an underpinning service for partner products. It meets the M1C identity profile at Medium level, with High quality of authenticator and Very High quality of protection. This provides government-aligned identity assurance suitable for UK public sector and regulated use cases, and supports integration with other trusted UK identity ecosystems.
iRAP
Audited to the iRAP (Information Security Registered Assessor Program) in Australia. Achieving IPD 3 (Identity Proofing Level 3), the highest level.
What is iRAP?
The Information Security Registered Assessors Program enables Australian Government customers to validate that appropriate controls are in place and determine the appropriate responsibility model for addressing the requirements of the Australian Government Security Manual (ISM) produced by the Australian Cyber Security Center (ACSC).
Why does iRAP matter?
iRAP assessment ensures that controls, people, processes, and technology are robust enough to protect the Australian Government from data breaches. iProov enables citizens to securely perform a proof of liveness test at identity proofing level three (IP3), which is necessary to access government services. IP3 is the highest level of assurance and is required to prevent the creation of fraudulent identities. Under the Australian government’s trusted digital identity framework (TDIF), IP3 requires a ‘high confidence’ in the claimed identity and is intended for services with a risk of serious consequences from fraud.
NIST SP 800-63-4 Digital Identity Guidelines
iProov is the first and only vendor independently validated to meet the biometric verification requirements in NIST SP 800-63-4. This includes passing ISO-accredited testing for Injection Attack Detection (IAD) against deepfakes and other AI-generated attacks.
What is NIST SP 800-63-4?
NIST SP 800-63-4 is a U.S. federal publication that sets the technical and security standards for digital identity systems. It defines how organizations should verify a person’s identity online, especially for high-risk transactions. The latest update introduces specific provisions to address emerging threats such as deepfakes and other AI-generated attacks, and mandates phishing-resistant authentication for high-assurance scenarios (AAL3).
Why does NIST SP 800-63-4 conformance matter?
iProov’s conformance is independently established through the combination of FIDO Face Verification Certification (Presentation Attack Detection), CEN/TS 18099 with Ingenium Level 4 (Injection Attack Detection), WCAG 2.2 AA accessibility conformance, and supporting certifications for cybersecurity and privacy. These guidelines are widely recognized globally as a benchmark for secure and trustworthy digital identity systems. Meeting them requires rigorous testing of biometric systems for accuracy, spoof resistance, usability, and equity, reducing identity and fraud risk and accelerating security, compliance, and architecture sign-off.
CEN/TS 18099
iProov Dynamic Liveness is the first and only biometric solution to achieve both the CEN/TS 18099 High specification and Ingenium Level 4 for Injection Attack Detection through independent, ISO/IEC 17025-accredited testing, establishing a new industry benchmark for deepfake and injection attack resilience.
Unlike presentation attacks, injection attacks are not physically presented to the device camera; instead, they are injected into the data stream. Injection attacks are the more scalable and dangerous threat.
This evaluation independently confirms our resilience to injection attacks, providing assurance that many other solutions cannot.
What is CEN/TS 18099?
CEN/TS 18099 is the first formal technical specification dedicated to evaluating biometric systems against injection attacks, published by the European Committee for Standardization. Ingenium Level 4 builds on CEN/TS 18099 with an extended period of active testing and the inclusion of complex, highly-weighted attack types. This certification supersedes vendors’ own claims or proprietary assurance frameworks.
Why does CEN/TS 18099 with Ingenium Level 4 matter?
Over 40 days of independent testing by ISO/IEC 17025-accredited Ingenium Biometric Laboratories, no successful injection attack method could be established against iProov Dynamic Liveness. The Bona Fide Presentation Classification Error Rate (BPCER), the rate at which legitimate users were rejected, was 1.3%, twelve times better than the required maximum of 15%. CEN/TS 18099 closes a critical gap beyond presentation attack testing by validating resilience to injection attacks before deployment, preventing costly remediation.
SOC 2 Type II
iProov is certified to SOC 2 Type II.
What is SOC 2 Type II?
SOC 2 certification is based on a set of criteria called the Trust Services Principles, namely: Security, Availability, Processing Integrity, Confidentiality, and Privacy of the service provider’s system. SOC 2 Type II reports are the most comprehensive of the ‘3 SOCs”. This certification assures that the service provider’s system is designed with suitable organizational controls to ensure sensitive information is kept secure in the cloud.
Why does SOC 2 Type II matter?
SOC 2 certification provides detailed information and assurance about iProov’s controls relevant to the security, availability, and processing integrity of the systems that we use to process users’ data and the confidentiality and privacy of the information processed by these systems.
ISO/IEC 27001:2022
iProov operates a certified Information Security Management System (ISMS) aligned to ISO/IEC 27001:2022, the international standard for information security.
What is ISO/IEC 27001:2022?
ISO/IEC 27001 is the leading international standard for managing information security. Certification confirms that an organization operates a documented, continuously audited Information Security Management System (ISMS) covering people, processes, and technology, aligned to international best practice.
Why does ISO/IEC 27001:2022 certification matter?
Independent certification reduces supplier security risk through system-wide security governance, accelerating security due diligence using a globally recognized control framework.
CSA STAR (Level 2)
iProov holds CSA STAR Level 2 certification for cloud security management.
What is CSA STAR?
CSA STAR (Security, Trust, Assurance, and Risk) is an independent certification program from the Cloud Security Alliance. Level 2 confirms that cloud security management meets the CSA Cloud Controls Matrix through third-party assessment.
Why does CSA STAR Level 2 matter?
CSA STAR delivers cloud-specific assurance beyond generic security certifications. It simplifies cloud risk review by mapping directly to cloud security expectations, aiding auditing processes for procurement and security teams.
Cyber Essentials
iProov is certified to Cyber Essentials, the UK government-backed cybersecurity baseline.
What is Cyber Essentials?
Cyber Essentials is a UK government certification scheme that confirms an organization has implemented baseline technical controls to defend against the most common, automated internet-based cyber attacks.
What does Cyber Essentials certification mean?
Cyber Essentials confirms that essential cyber hygiene is in place, reducing exposure to preventable threats. It meets UK public sector and SME procurement requirements while minimizing security check costs.
FSQS Registered
iProov is registered with the Financial Services Qualification System (FSQS).
What is FSQS?
FSQS is a community of UK financial institutions that collaborate on supplier qualification. Registration confirms that a supplier meets pre-qualification requirements covering risk, compliance, and operational areas relevant to financial services.
Why does FSQS registration matter?
FSQS registration accelerates onboarding with financial services customers by leveraging a supplier due diligence platform recognized across the sector, reducing the need for bespoke vendor questionnaires.
ISO 9001:2015
iProov operates a certified Quality Management System (QMS) aligned to ISO 9001:2015.
What is ISO 9001:2015?
ISO 9001 is the international standard for quality management systems. Certification confirms that an organization has effective processes for consistent delivery, control, and continuous improvement.
What does ISO 9001:2015 certification mean?
ISO 9001 improves the predictability of delivery and service outcomes at scale. It provides assurance to customers that issues are systematically managed, investigated, and corrected.
W3C WCAG 2.2 AA, Section 508 & European Accessibility Act (EAA)
iProov solutions conform with W3C WCAG 2.2 AA, US Section 508, and the European Accessibility Act (EAA).
What are WCAG 2.2 AA, Section 508, and the EAA?
WCAG 2.2 AA Web Content Accessibility Guidelines are a set of recommendations for making Web content more accessible, primarily for people with disabilities. US Section 508 was enacted to eliminate barriers in information technology, make available new opportunities for people with disabilities, and encourage the development of technologies that will help achieve these goals. The European Accessibility Act (EAA), effective June 2025, harmonizes accessibility requirements across EU member states for products and services, including digital identity.
What do these accessibility standards mean?
The iProov system does not require a “cognitive function test”: complex instructions for users to read, understand, or execute – the user simply looks at the device to authenticate. User-centric design maximizes inclusivity, delivering the ability to onboard or authenticate users faster, with a simple and secure process. This reduces legal, regulatory, and reputational risk related to accessibility compliance and improves completion rates by ensuring users with disabilities (typically 16% of a user base) can successfully complete digital journeys. A Voluntary Product Accessibility Template or EU Accessibility Statement is available upon request. Learn more about WCAG 2.2.
eID
iProov is certified to eID. iProov’s eID statement is publicly available in an electronic format below.
Please click here to view our eID certification
Certifications FAQ
What is the difference between Presentation Attack Detection (PAD) and Injection Attack Detection (IAD)?
AD evaluates whether a biometric system can detect spoofs physically presented to a camera, such as photos, masks, or replay videos, and is governed by ISO/IEC 30107-3. IAD evaluates resilience against attacks injected directly into the data stream, including AI-generated deepfakes that bypass the camera entirely, and is governed by CEN/TS 18099. A vendor can hold PAD certification and still have no validated resilience to injection attacks, which isn’t sufficient in today’s threat landscape.
Why does CEN/TS 18099 matter for biometric verification?
CEN/TS 18099 provides the first independently auditable benchmark for resilience to injection attacks, including deepfakes. Without CEN/TS 18099 testing, vendors rely on internal documentation or proprietary frameworks rather than standards-aligned third-party evaluation. The standard is referenced in NIST SP 800-63-4 and will inform the forthcoming global ISO 25456.
What is the difference between ISO/IEC 27001 and SOC 2 Type II?
ISO/IEC 27001 certifies that an organization operates a documented Information Security Management System (ISMS) against a global control framework. SOC 2 Type II evaluates whether security, availability, and confidentiality controls work consistently over a sustained audit period, focused on the specifics of how controls are implemented. Holding both demonstrates governance-level commitment and operational evidence of effective controls.
Which certifications does NIST SP 800-63-4 require for biometric verification?
NIST SP 800-63-4 does not require any single certification, but expects evidence across spoof resistance, accuracy, usability, and equity. iProov demonstrates conformance through FIDO Face Verification Certification (PAD), CEN/TS 18099 with Ingenium Level 4 (IAD), WCAG 2.2 AA accessibility, and supporting cybersecurity and privacy audits.
General Terms of Service
iProov’s General Terms of Service may be found here.
For any prospective partners or customers, terms and conditions are encompassed in our Partner Service Agreement, which is available on request.
iProov Privacy Policy
iProov’s Privacy Policy may be found here
You can learn more about the topic of biometric conformance and testing here.
iProov is Trusted By
Right Person. Real Person. Right Now.
Right Person.