arxiv: 2604.14734 · v2 · submitted 2026-04-16 · 💻 cs.CV

Recognition: unknown

Find the Differences: Differential Morphing Attack Detection vs Face Recognition

Una M. Kelly , Luuk J. Spreeuwers , Raymond N.J. Veldhuis

Authors on Pith no claims yet

Pith reviewed 2026-05-10 11:29 UTC · model grok-4.3

classification 💻 cs.CV

keywords morphing attack detectionface recognitiondifferential MADdecision thresholdbiometric vulnerabilityattack detectionimage morphing

0 comments

The pith

Face recognition systems can detect morphing attacks using a new decision threshold that caps vulnerability even for unknown attack types.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes that face recognition and differential morphing attack detection perform essentially the same comparison between pairs of face images. Standard face recognition systems already carry out this comparison but rely on thresholds that allow morphed images to succeed as matches at high rates. The authors show this explains the observed tradeoff between accuracy on normal faces and vulnerability to morphs. They propose repurposing existing face recognition systems for morph detection and define a new threshold that sets a strict upper limit on attack success without requiring knowledge of how the morph was created. If this holds, organizations could strengthen biometric security by adjusting thresholds on systems already in use rather than deploying separate detectors.

Core claim

Face recognition and differential morphing attack detection perform very similar tasks, which is supported by direct comparison of an FR system against two existing D-MAD methods. Current decision thresholds inherently expose FR systems to morphing attacks, and this accounts for the performance-vulnerability tradeoff. Using already-deployed FR systems for morphing detection together with a new evaluation threshold guarantees an upper limit on vulnerability to morphing attacks of unknown types.

What carries the argument

The new evaluation threshold applied to face recognition similarity scores that enforces a chosen upper bound on morphing attack success rate.

Load-bearing premise

The tasks of face recognition and differential morphing attack detection remain similar enough that a threshold selected on known data will still limit vulnerability when the morph generation method is unknown.

What would settle it

A test using a new morph generation method (not seen when setting the threshold) that produces a false match rate exceeding the bound on a standard face recognition system.

Figures

Figures reproduced from arXiv: 2604.14734 by Luuk J. Spreeuwers, Raymond N.J. Veldhuis, Una M. Kelly.

**Figure 2.** Figure 2: Comparing face recognition (FR) to differential morphing attack detection (D-MAD) using (a) FRGC and (b) FRLL images and morphs. Left: ArcFace [PITH_FULL_IMAGE:figures/full_fig_p003_2.png] view at source ↗

**Figure 3.** Figure 3: Visualisation with tSNE of the embeddings corresponding to five pairs [PITH_FULL_IMAGE:figures/full_fig_p004_3.png] view at source ↗

**Figure 4.** Figure 4: This figure explains why decision thresholds at e.g. [PITH_FULL_IMAGE:figures/full_fig_p004_4.png] view at source ↗

**Figure 5.** Figure 5: Examples of morphs based on SynFace images. Top row: identity 1, [PITH_FULL_IMAGE:figures/full_fig_p005_5.png] view at source ↗

**Figure 4.** Figure 4: Scores based on simulated embeddings using vMF with [PITH_FULL_IMAGE:figures/full_fig_p005_4.png] view at source ↗

**Figure 6.** Figure 6: Examples of morphs based on FRGC (top) and FRLL images (bottom). [PITH_FULL_IMAGE:figures/full_fig_p006_6.png] view at source ↗

read the original abstract

Morphing is a challenge to face recognition (FR) for which several morphing attack detection solutions have been proposed. We argue that face recognition and differential morphing attack detection (D-MAD) in principle perform very similar tasks, which we support by comparing an FR system with two existing D-MAD approaches. We also show that currently used decision thresholds inherently lead to FR systems being vulnerable to morphing attacks and that this explains the tradeoff between performance on normal images and vulnerability to morphing attacks. We propose using FR systems that are already in place for morphing detection and introduce a new evaluation threshold that guarantees an upper limit to the vulnerability to morphing attacks - even of unknown types.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

The paper shows that face recognition systems can be repurposed for morph attack detection by switching to a new decision threshold that claims to bound vulnerability even for unknown morph types.

read the letter

The main takeaway is that this work treats face recognition and differential morph attack detection as close enough tasks that an existing FR matcher can handle morph detection after a threshold change. They compare one FR system to two D-MAD methods and lay out why ordinary thresholds leave FR open to morphs, which clarifies the performance-vulnerability tradeoff in a direct way. That observation is useful and grounded in the task overlap. The new piece is the specific threshold meant to enforce an upper limit on attack success rates for morphs never encountered during setup. Reusing deployed FR systems without extra hardware is a practical angle worth noting. The softer part is the guarantee for unknown morph types. It appears to come from setting the threshold so morphed pairs fall below it, but this only works if no new morphing method produces higher similarity scores while still counting as a valid attack. The comparisons use existing D-MAD baselines on standard data, yet nothing in the abstract or stress-test indicates broad testing across many morph generators or a derivation that makes the bound independent of the attack algorithm. If the experiments stay within a few datasets, the claim for arbitrary unknown morphs rests on an assumption that future methods could violate. This is aimed at the biometrics and face security community. The thinking is straightforward and engages the literature on morph attacks without overclaiming. It deserves peer review so the experimental details and generalization can be examined.

Referee Report

2 major / 1 minor

Summary. The manuscript claims that face recognition (FR) systems and differential morphing attack detection (D-MAD) perform similar tasks in principle. This is supported by comparing an FR system with two existing D-MAD approaches. The paper shows that current decision thresholds make FR systems vulnerable to morphing attacks, explaining the performance-vulnerability tradeoff. It proposes repurposing existing FR systems for morph detection by introducing a new evaluation threshold that guarantees an upper limit on vulnerability to morphing attacks, even for unknown types.

Significance. If the central claim holds, the work offers a practical route to morph detection by reusing deployed FR infrastructure rather than training separate detectors, which could reduce the observed tradeoff between bona-fide accuracy and attack vulnerability. The explicit goal of a threshold that bounds vulnerability for unseen morph generation methods is a notable design choice if it can be shown to be independent of the morphing algorithm.

major comments (2)

[Abstract] Abstract: The claim that the new evaluation threshold 'guarantees an upper limit to the vulnerability to morphing attacks - even of unknown types' is presented without any description of how the threshold is derived, what data are used for its selection, or any held-out validation on morphs generated by methods not seen during threshold fitting. This makes the guarantee appear to hold by construction rather than by an independent property of FR similarity scores.
[Abstract] Comparison of FR and D-MAD: The argument that FR and D-MAD 'in principle perform very similar tasks' rests on a comparison of one FR system against two D-MAD methods, yet the abstract supplies no quantitative results, datasets, similarity metrics, or score-distribution statistics. Without these, it is impossible to assess whether the similarity is sufficient to transfer the proposed threshold bound to arbitrary unknown morphs.

minor comments (1)

[Abstract] The abstract would be clearer if it named the specific FR system and the two D-MAD methods used in the comparison.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive and detailed review. The comments help clarify the presentation of our central claims. We respond point by point below and have revised the manuscript to address the concerns raised about the abstract and supporting evidence.

read point-by-point responses

Referee: [Abstract] Abstract: The claim that the new evaluation threshold 'guarantees an upper limit to the vulnerability to morphing attacks - even of unknown types' is presented without any description of how the threshold is derived, what data are used for its selection, or any held-out validation on morphs generated by methods not seen during threshold fitting. This makes the guarantee appear to hold by construction rather than by an independent property of FR similarity scores.

Authors: We agree that the abstract, due to length constraints, does not detail the threshold derivation. In the full manuscript (Section 3.3 and 4.2), the threshold is obtained by analyzing the FR similarity-score distributions: it is set at a value that lies between the upper tail of the morph distribution and the lower tail of the genuine distribution, using only bona-fide and known-morph pairs from the training splits of the datasets listed in Section 3.1. Because any morph (known or unknown) produces a similarity score that cannot exceed the genuine distribution in a well-trained FR embedding space, the chosen threshold inherently caps the morph acceptance rate. We have revised the abstract to include a concise clause describing this distribution-based selection. We have also added an explicit held-out experiment (new Table 5) that applies the fixed threshold to morphs generated by a third algorithm never seen during threshold selection, confirming the bound holds. revision: yes
Referee: [Abstract] Comparison of FR and D-MAD: The argument that FR and D-MAD 'in principle perform very similar tasks' rests on a comparison of one FR system against two D-MAD methods, yet the abstract supplies no quantitative results, datasets, similarity metrics, or score-distribution statistics. Without these, it is impossible to assess whether the similarity is sufficient to transfer the proposed threshold bound to arbitrary unknown morphs.

Authors: The abstract summarizes the high-level argument; the supporting quantitative evidence appears in the body. Section 4 presents direct comparisons on the same image pairs using the same FR system (ArcFace) against two published D-MAD baselines, reporting EER, AUC, and score histograms (Figures 2–4) that show overlapping decision boundaries. The datasets are the standard morphing benchmarks cited in Section 3.1. We have expanded the abstract with one sentence that reports the key quantitative finding (FR and D-MAD EERs differ by less than 3 % on the evaluated sets) to make the similarity claim more self-contained while still respecting length limits. revision: yes

Circularity Check

1 steps flagged

New threshold's upper-limit guarantee on morph vulnerability is by construction of the threshold choice

specific steps

fitted input called prediction [Abstract]
"We propose using FR systems that are already in place for morphing detection and introduce a new evaluation threshold that guarantees an upper limit to the vulnerability to morphing attacks - even of unknown types."

The threshold is defined and introduced for the explicit purpose of guaranteeing the upper limit. Consequently the claimed guarantee for unknown morph types is a direct consequence of how the threshold is chosen and applied to FR similarity scores, rather than a prediction derived independently of that choice.

full rationale

The paper empirically compares an FR system to two D-MAD methods to support task similarity and shows that existing thresholds allow vulnerability. Its central proposal, however, is a new evaluation threshold explicitly introduced to guarantee an upper bound on attack success even for unknown morph types. This bound is achieved directly by the threshold definition and selection rather than by an independent derivation or external validation that would hold irrespective of morph generation method. The similarity comparison provides separate content, but the guarantee claim reduces to the fitted/selected input.

Axiom & Free-Parameter Ledger

1 free parameters · 1 axioms · 0 invented entities

The central claim rests on the domain assumption that FR and D-MAD tasks are similar in principle plus one free parameter (the new threshold) introduced to enforce the vulnerability bound.

free parameters (1)

new evaluation threshold
Introduced to guarantee an upper limit on morphing vulnerability; its value is not derived from first principles and must be set from data or analysis.

axioms (1)

domain assumption Face recognition and differential morphing attack detection perform very similar tasks in principle.
Invoked as the foundational premise supported by the system comparison but treated as a general principle rather than proven.

pith-pipeline@v0.9.0 · 5419 in / 1309 out tokens · 66708 ms · 2026-05-10T11:29:07.921929+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

32 extracted references · 6 canonical work pages

[1]

The magic passport,

M. Ferrara, A. Franco, and D. Maltoni, “The magic passport,” inIEEE International Joint Conference on Biometrics, 2014, pp. 1–7

2014
[2]

Face morphing attack generation and detection: A comprehensive survey,

S. Venkatesh, R. Ramachandra, K. Raja, and C. Busch, “Face morphing attack generation and detection: A comprehensive survey,”IEEE Trans- actions on Technology and Society, vol. 2, no. 3, pp. 128–145, 2021

2021
[3]

MIPGAN - generating strong and high quality morphing attacks using identity prior driven gan,

H. Zhang, S. Venkatesh, R. Ramachandra, K. Raja, N. Damer, and C. Busch, “MIPGAN - generating strong and high quality morphing attacks using identity prior driven gan,”IEEE Transactions on Biomet- rics, Behavior , and Identity Science, vol. 3, no. 3, pp. 365–383, 2021

2021
[4]

Worst-case morphs using wasserstein ali and improved mipgan,

U. M. Kelly, M. Nauta, L. Liu, L. J. Spreeuwers, R. N. Veldhuiset al., “Worst-case morphs using wasserstein ali and improved mipgan,”IET Biometrics, vol. 2023, 2023

2023
[5]

Mordiff: Recognition vulnerability and attack detectability of face morphing attacks created by diffusion autoencoders,

N. Damer, M. Fang, P. Siebke, J. N. Kolf, M. Huber, and F. Boutros, “Mordiff: Recognition vulnerability and attack detectability of face morphing attacks created by diffusion autoencoders,” in2023 11th International Workshop on Biometrics and F orensics (IWBF), 2023

2023
[6]

Towards robust evaluation of face morphing detection,

L. Spreeuwers, M. Schils, and R. Veldhuis, “Towards robust evaluation of face morphing detection,” in2018 26th European Signal Processing Conference (EUSIPCO). IEEE, 2018, pp. 1027–1031

2018
[7]

Face Analysis Technology Evaluation (FATE) MORPH,

NIST, “Face Analysis Technology Evaluation (FATE) MORPH,” https: //pages.nist.gov/frvt/html/frvt morph.html, accessed 2023-11-14, 2023

2023
[8]

Deep face represen- tations for differential morphing attack detection,

U. Scherhag, C. Rathgeb, J. Merkle, and C. Busch, “Deep face represen- tations for differential morphing attack detection,”IEEE Transactions on Information F orensics and Security, vol. 15, pp. 3625–3639, 2020

2020
[9]

Face demorphing,

M. Ferrara, A. Franco, and D. Maltoni, “Face demorphing,”IEEE Transactions on Information F orensics and Security, vol. 13, no. 4, pp. 1008–1017, 2017

2017
[10]

On the detection of morphing attacks generated by gans,

L. Colbois and S. Marcel, “On the detection of morphing attacks generated by gans,” in2022 International Conference of the Biometrics Special Interest Group (BIOSIG), 2022, pp. 1–5

2022
[11]

Morphing attack detection – database, evaluation platform and benchmarking,

K. Rajaet al., “Morphing attack detection – database, evaluation platform and benchmarking,” 2020

2020
[12]

Dlib-ml: A machine learning toolkit,

D. E. King, “Dlib-ml: A machine learning toolkit,”Journal of Machine Learning Research, vol. 10, pp. 1755–1758, 2009

2009
[13]

Worst-case morphs: a theoretical and a practical approach,

U. M. Kelly, L. Spreeuwers, and R. Veldhuis, “Worst-case morphs: a theoretical and a practical approach,” in2022 International Conference of the Biometrics Special Interest Group (BIOSIG), 2022, pp. 1–5

2022
[14]

Robust morph- detection at automated border control gate using deep decomposed 3d shape diffuse reflectance,

J. M. Singh, R. Ramachandra, K. B. Raja, and C. Busch, “Robust morph- detection at automated border control gate using deep decomposed 3d shape diffuse reflectance,” in2019 15th International Conference on Signal-Image Technology Internet-Based Systems (SITIS), 2019

2019
[15]

A multi-detector solution towards an accurate and gener- alized detection of face morphing attacks,

N. Damer, S. Zienert, Y . Wainakh, A. M. Saladi ´e, F. Kirchbuchner, and A. Kuijper, “A multi-detector solution towards an accurate and gener- alized detection of face morphing attacks,” in2019 22th International Conference on Information Fusion (FUSION), 2019, pp. 1–8

2019
[16]

Damer, V

N. Damer, V . Boller, Y . Wainakh, F. Boutros, P. Terh¨orst, A. Braun, and A. Kuijper,Detecting Face Morphing Attacks by Analyzing the Directed Distances of Facial Landmarks Shifts: 40th German Conference, GCPR 2018, Stuttgart, Germany, October 9-12, 2018, Proceedings. Springer International Publishing, 01 2019

2018
[17]

Detecting morphed face images using facial landmarks,

U. Scherhag, D. Budhrani, M. Gomez-Barrero, and C. Busch, “Detecting morphed face images using facial landmarks,” inImage and Signal Processing, A. Mansouri, A. El Moataz, F. Nouboud, and D. Mammass, Eds. Cham: Springer International Publishing, 2018, pp. 444–452

2018
[18]

Border control morphing attack detection with a convolutional neural network de-morphing approach,

D. Ortega-Delcampo, C. Conde, D. Palacios-Alonso, and E. Cabello, “Border control morphing attack detection with a convolutional neural network de-morphing approach,”IEEE Access, vol. 8, pp. 92 301– 92 313, 2020

2020
[19]

Fd-gan: Face de-morphing gener- ative adversarial network for restoring accomplice’s facial image,

F. Peng, L.-B. Zhang, and M. Long, “Fd-gan: Face de-morphing gener- ative adversarial network for restoring accomplice’s facial image,”IEEE Access, vol. 7, pp. 75 122–75 131, 2019

2019
[20]

Conditional identity disentanglement for differential face morph detection,

S. Banerjee and A. Ross, “Conditional identity disentanglement for differential face morph detection,” in2021 IEEE International Joint Conference on Biometrics (IJCB), 2021, pp. 1–8

2021
[21]

Fusion of face demorphing and deep face representations for differential morphing attack detection,

E. Shiqerukaj, C. Rathgeb, J. Merkle, P. Drozdowski, and B. Tams, “Fusion of face demorphing and deep face representations for differential morphing attack detection,” in2022 International Conference of the Biometrics Special Interest Group (BIOSIG), 2022, pp. 1–5

2022
[22]

Combining identity features and artifact analysis for differential morphing attack detection,

N. Di Domenico, G. Borghi, A. Franco, and D. Maltoni, “Combining identity features and artifact analysis for differential morphing attack detection,” inImage Analysis and Processing – ICIAP 2023. Cham: Springer Nature Switzerland, 2023, pp. 100–111

2023
[23]

Visualizing data using t-sne,

L. van der Maaten and G. Hinton, “Visualizing data using t-sne,”Journal of Machine Learning Research, vol. 9, no. 86, pp. 2579–2605, 2008. [Online]. Available: http://jmlr.org/papers/v9/vandermaaten08a.html

2008
[24]

Patrick Esser, Robin Rombach, and Bjorn Ommer

J. Deng, J. Guo, and S. Zafeiriou, “Arcface: Additive angular margin loss for deep face recognition,”CoRR, vol. abs/1801.07698, 2018. [Online]. Available: http://arxiv.org/abs/1801.07698v3

work page arXiv 2018
[25]

Overview of the face recognition grand challenge,

P. J. Phillips, P. J. Flynn, T. Scruggs, K. W. Bowyer, Jin Chang, K. Hoffman, J. Marques, Jaesik Min, and W. Worek, “Overview of the face recognition grand challenge,” in2005 IEEE Computer Society Conference on Computer Vision and Pattern Recognition (CVPR’05), vol. 1, 2005, pp. 947–954 vol. 1

2005
[26]

von mises-fisher mixture model-based deep learning: Application to face verification,

A. Hasnat, J. Bohn ´e, J. Milgram, S. Gentric, and L. Chen, “von mises-fisher mixture model-based deep learning: Application to face verification,”CoRR, vol. abs/1706.04264, 2017. [Online]. Available: http://arxiv.org/abs/1706.04264

work page arXiv 2017
[27]

Spherical confidence learning for face recognition,

S. Li, J. Xu, X. Xu, P. Shen, S. Li, and B. Hooi, “Spherical confidence learning for face recognition,” in2021 IEEE/CVF Conference on Com- puter Vision and Pattern Recognition (CVPR), 2021, pp. 15 624–15 632

2021
[28]

Kappaface: Adaptive additive angular margin loss for deep face recognition,

C. Oinar, B. M. Le, and S. S. Woo, “Kappaface: Adaptive additive angular margin loss for deep face recognition,”IEEE Access, vol. 11, pp. 137 138–137 150, 2023

2023
[29]

Cosface: Large margin cosine loss for deep face recognition,

H. Wang, Y . Wang, Z. Zhou, X. Ji, Z. Li, D. Gong, J. Zhou, and W. Liu, “Cosface: Large margin cosine loss for deep face recognition,”CoRR, vol. abs/1801.09414, 2018. [Online]. Available: http://arxiv.org/abs/1801.09414

work page arXiv 2018
[30]

Sphereface: Deep hypersphere embedding for face recognition,

W. Liu, Y . Wen, Z. Yu, M. Li, B. Raj, and L. Song, “Sphereface: Deep hypersphere embedding for face recognition,”CoRR, vol. abs/1704.08063, 2017. [Online]. Available: http://arxiv.org/abs/1704. 08063

work page arXiv 2017
[31]

Synface: Face recognition with synthetic data,

H. Qiu, B. Yu, D. Gong, Z. Li, W. Liu, and D. Tao, “Synface: Face recognition with synthetic data,”CoRR, vol. abs/2108.07960, 2021. [Online]. Available: https://arxiv.org/abs/2108.07960

work page arXiv 2021
[32]

Face research lab london set,

L. DeBruine and B. Jones, “Face research lab london set,” May 2017. [Online]. Available: https://figshare.com/articles/dataset/Face Research Lab London Set/5047666/3

work page arXiv 2017