Incode Is the First Company to Achieve iBeta Level 3 Compliance on Both iOS and Android with 0% error

900 attacks. Zero got through.

That is the result of Incode’s Level 3 Presentation Attack Detection evaluation, conducted by iBeta Quality Assurance under ISO/IEC 30107-3, the international standard for biometric spoof testing.

Across Android and iOS, testers executed 900 presentation attacks using hyper-realistic masks crafted with up to 56 hours of preparation time per species. Not a single attack was classified as genuine.

Two numbers matter most in liveness testing:

• The Attack Presentation Classification Error Rate (APCER), which measures the percentage of spoof attempts incorrectly accepted as genuine.
• The Bona Fide Presentation Classification Error Rate (BPCER), which measures the percentage of genuine users incorrectly rejected.

Incode scored 0 percent on both, becoming the first passive liveness provider to achieve iBeta Level 3 conformance on Android and iOS platforms.

‍

‍

What iBeta Level 3 Actually Tests

iBeta is an independent, NVLAP-accredited laboratory that evaluates biometric systems under ISO/IEC 30107-3. Its Presentation Attack Detection (PAD) framework is structured into three escalating levels, each designed to simulate a more capable and better-resourced attacker.

• Level 1 covers basic scenarios using readily available tools such as printed photos or consumer devices.  or APCERIncode achieved iBeta Level 1 compliance in 2019, becoming the first passive liveness provider to do so.
• Level 2 introduces more advanced attack instruments, including artifacts produced with tools such as 3D printers. Incode achieved iBeta Level 2 compliance in 2023.
• Level 3 assumes attackers with significant resources, extended preparation time, access to biometric data from sources like social media, and the ability to manufacture highly realistic facial masks using professional-grade materials. Incode achieved compliance on both Android and iOS in 2026.

‍

How the iBeta Level 3 Evaluation Was Conducted

Testing ran from January to February 2026 on both Android and iOS, with both applications supported by the same backend cloud components.

Testers presented sophisticated attack instruments, yielding 900 total attacks across both platforms. Bona fide presentations were interleaved throughout to measure attack resistance and the system's ability to correctly identify genuine users.

The system blocked every attack. It correctly identified every genuine user.

Why This Matters

For organizations in banking and fintech, iBeta Level 3 compliance addresses a real and growing threat. Synthetic identity fraud and account takeover attacks increasingly involve sophisticated spoofing techniques. Independent validation under the highest available PAD standard provides measurable assurance that the liveness system can withstand well-resourced impersonation attempts, not just commodity attacks.

For government agencies and public sector programs handling citizen identity, Level 3 sets a defensible benchmark. When identity decisions carry legal or regulatory weight, the evidentiary value of independent testing under a recognized international standard matters.

For telcos providers, marketplaces, and any platform operating at scale, the combination of high-assurance liveness and a frictionless user experience directly affects conversion. A system that blocks fraud attacks without adding friction to genuine users is the ultimate goal.

Independent validation under the highest available standard, such as iBeta, gives procurement teams, security officers, and compliance functions something they rarely get: a defensible, third-party answer to the question of whether a system actually protects under adversarial conditions.

“iBeta Level 3 is built to simulate the most sophisticated, well-resourced attackers,” said Ricardo Amper, Founder & CEO at Incode. “Achieving conformance on both iOS and Android while keeping the experience fully passive demonstrates thathigh assurance and seamless user experience can coexist. Independent validation at this level becomes critical as generative AI increases the complexity of today’s attacks”.

‍

No Added Friction

The evaluation was conducted using a fully passive liveness experience. Users capture a single selfie. No challenge prompts, no head movements, no additional steps.

Achieving iBeta Level 3 while maintaining a passive user flow demonstrates that stronger biometric protection does not require greater user friction.

‍

Six Years of Independent Validation

Incode has progressed through every publicly available iBeta PAD level under ISO/IEC 30107-3:

Level 1 validation in 2019.Level 2 validation in 2023.Level 3 conformance in 2026.

Each level increases attack complexity and tightens performance thresholds. Incode’s zero-error performance across progressively tougher PAD evaluations reflects sustained investment in our in-house liveness research as fraud techniques evolve.

Level 3 conformance across both iOS and Android sets a new benchmark for passive liveness performance. As modern fraud tactics lower the barrier to sophisticated impersonation, independent validation under the most rigorous publicly available PAD standard will increasingly define which identity systems are built for high-assurance environments, and which are not.

‍

Incode was named a Leader in the 2025 Gartner® Magic Quadrant™ for Identity Verification. Download the report.

‍