The Invisible Threat: Evaluating the Vulnerability of Cross-Spectral Face Recognition to Presentation Attacks

Anjith George1 and Sébastien Marcel1,2
1Idiap Research Institute, 2UNIL

Accepted in IJCB 2025.
Paper arXiv Code Database
Scores

Gallery (VIS) and probe (NIR) sample pairs from the WMCA VIS-NIR protocol, with match scores (cosine similarity scores normalized to -1 to 1) generated by the SSMB [9] approach. Examples include genuine pairs, zero-effort impostors (ZEI), and various attack types, with laser photo attacks yielding the highest match scores among attacks

Summary

Cross-spectral face recognition systems are designed to enhance the performance of facial recognition systems by enabling cross-modal matching under challenging operational conditions. A particularly relevant application is the matching of near-infrared (NIR) images to visible-spectrum (VIS) images, enabling the verification of individuals by comparing NIR facial captures acquired with VIS reference images. The use of NIR imaging offers several advantages, including greater robustness to illumination variations, better visibility through glasses and glare, and greater resistance to presentation attacks. Despite these claimed benefits, the robustness of NIR-based systems against presentation attacks has not been systematically studied in the literature. In this work, we conduct a comprehensive evaluation into the vulnerability of NIR-VIS cross-spectral face recognition systems to presentation attacks. Our empirical findings indicate that, although these systems exhibit a certain degree of reliability, they remain vulnerable to specific attacks, emphasizing the need for further research in this area.

Methodology

This paper proposes the first systematic study of how cross-spectral face recognition (matching NIR probes to VIS galleries) withstands presentation attacks. We introduce and release new VIS-VIS and VIS-NIR vulnerability protocols built on the WMCA dataset, then benchmark two state-of-the-art deep-learning CFR models (DIU and SSMB) plus a commercial SDK. Although all three systems achieve perfect verification in clean conditions, they are vulnerable to presentation attacks: aggregate impostor-attack match rates fall from ≈85 % in VIS-VIS to 16–32 % in VIS-NIR, yet simple laser-printed photo spoofs still succeed 97–100 % of the time, exposing a major blind spot. Score-distribution analyses confirm that many common spoof types fade in NIR, but highly reflective laser prints remain dangerously effective. A commercial presentation-attack detector fares no better, posting a 64 % ACER in NIR, which highlights the urgent need for PAD designed specifically for NIR-only scenarios. By establishing the new protocols, revealing a critical vulnerability, and outlining directions for NIR-focused defenses, the paper challenges the assumptions about the inherent robustness of cross-spectral face recognition.

Score distribution for attacks in VIS and NIR

The score-distribution plots show that moving from a VIS-VIS to a VIS-NIR setting generally weakens presentation attacks: for most spoof categories, replay videos on tablets, ink-jet prints, masks and wearable disguises the median similarity score shifts left, reflecting the fact that their visual cues either disappear or lose contrast in NIR light. As a result, these attacks pose far less risk to cross-spectral face recognition than they do to conventional VIS-VIS systems. The outlier is the laser-printed photo attack: because laser toner is highly reflective in the NIR band, its score distribution shifts right, making it the most effective remaining threat under the VIS-NIR protocol

xEdgeFace performance chart

Score distributions across all categories for both the DIU and SSMB HFR systems are depicted in the plots. Each plot illustrates the score distributions for Bonafide, Impostors (ZEI), and other attack types for a specific HFR system. Higher scores for attacks would indicate increased attack potential. The red arrow indicates the shift in distribution from VIS (blue) to NIR (orange) modalities. A leftward shift (negative) for attacks signifies decreased vulnerability to that specific attack.


Histograms

The histograms show how each powerful spoof type scores against two cross-spectral face-recognition models when VIS enrolments are probed with NIR images. Most attacks (masks and the mixed “All PAs” set) lie well to the left of the genuine-user curve and below the 0.1 % FMR threshold, signalling that they are rarely accepted. In contrast, the laser-printed photo curve rides almost on top of the genuine distribution and crosses the decision threshold, which drives IAPMR values up to 97–100 %. This tight overlap pinpoints laser prints as the single dominant vulnerability that survives the spectral gap.

hist

Score distributions (VIS-NIR Protocol) for two HFR systems (first row DIU , second row SSMB) with different PA combinations (All PAs, Laser Photos, Masks). Each plot shows histograms of genuine (green), ZEI (blue), and attack (gray) scores. The red dashed line marks the FMR 0.1% threshold (from the licit protocol’s development group), while the solid red curve represents IAPMR across thresholds. The IAPMR at the given threshold is found at the curve’s intersection with the dashed line.


COTS PAD performance

A commercial off-the-shelf PAD module, tested on the WMCA evaluation set, struggles to protect cross-spectral systems: when the PAD’s EER-based threshold is applied to probe samples, overall ACER remains high, especially in the VIS-NIR scenario, where laser-printed photo spoofs sail past detection with a 98 % APCER. VIS-VIS scores are somewhat better, but the sharp NIR drop-off confirms that generic COTS solutions are ill-equipped for heterogeneous face recognition and that purpose-built NIR-focused PAD is urgently needed.

hist

PAD Metrics for COTS-PAD system across VIS and NIR images


Dataset Availability

The WMCA dataset used in this paper is publicly available at: https://www.idiap.ch/en/scientific-research/data/wmca .

BibTeX

@article{vulncfr,
  title     = {The Invisible Threat: Evaluating the Vulnerability of Cross-Spectral Face Recognition to Presentation Attacks},
  author    = {George, Anjith and Marcel, Sebastien},
  booktitle = {2025 IEEE International Joint Conference on Biometrics (IJCB)},
  pages     = {1--10},
  year      = {2025},
  organization = {IEEE}
}