Select a liveness vendor that has obtained iBeta ISO 30107-3 PAD Level 1 or Level 2 certification; verify the certification letter is current (iBeta issues time-limited reports) before procurement.
Determine whether passive liveness (no user action, analyzes depth/texture/motion cues) or active liveness (user prompted to blink or turn head) fits your UX requirements; passive is preferred for low-friction flows.
Integrate the vendor's SDK or API into the selfie capture step of your identity proofing flow; pass the liveness check result alongside the biometric comparison result in your compliance audit log.
Record the vendor name, PAD level achieved, test date, and result in the identity proofing transaction record to support audit and NIST 800-63A-4 evidence documentation.
Establish a fallback path for liveness failures: allow a limited number of retries before routing to supervised (in-person or video) proofing rather than infinitely looping.
Review the vendor's spoofing attack taxonomy (print, replay, 3D mask) against your threat model to confirm PAD level covers the attack vectors relevant to your risk profile.
Known gotchas
ISO 30107-3 PAD Level 1 covers basic print and video replay attacks; Level 2 extends to 3D artefacts — regulated financial identity proofing workflows generally require Level 2 to satisfy NIST 800-63A-4 binding requirements.
Liveness and face match are distinct steps: liveness confirms the selfie is from a live person, face match confirms it is the same person as the document photo; both are required for IAL2-equivalent proofing.
iBeta certification letters are issued per specific software version; when a vendor releases a major SDK update, confirm the new version is re-certified before deploying it in a regulated proofing flow.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp