A 95% Match Score Sounds Solid. These 3 Reality Checks Show When It Isn’t.

At RSAC 2026, cybersecurity researcher Jake Moore walked up to a facial recognition system and defeated it — not by hacking the algorithm, not by wearing a mask, but by injecting a synthetic video stream directly into the camera feed. The system saw a perfectly normal face. The match came back clean. The face wasn't real.

That demonstration, reported by Biometric Update, landed quietly in industry circles but deserves a much wider audience. Because what Moore exposed isn't a niche software bug. It's a structural blind spot in how most people — investigators, attorneys, and frankly most software vendors — think about facial recognition reliability. The system assumed the camera feed was telling the truth. It wasn't programmed to ask.

Here's the thing: modern deepfakes don't need to trick your eyes. They need to trick the pipeline. And they're very good at it.

---

The Assumption That's Quietly Breaking Everything

Most facial recognition systems were built around a reasonable-sounding premise: if an image or video comes through a trusted channel, it's real. The algorithm's job is to match faces, not to interrogate whether the face exists in the physical world. For years, that worked fine. Cameras didn't lie.

They do now.

Current injection attack techniques — the category Moore demonstrated — don't interfere with the recognition algorithm at all. They operate upstream of it, feeding synthetic video into the camera API before the recognition software ever sees a single pixel. From the algorithm's perspective, it's receiving a normal camera feed. It matches the face. It reports high confidence. Nobody in the system is flagged to ask a follow-up question. This article is part of a series — start with Deepfake Bills Photo Evidence Investigators 2026.

This is why the field of Injection Attack Detection (IAD) has become its own discipline, separate from Presentation Attack Detection (think: holding a photo up to a camera). IAD asks a different question entirely — not "is this a mask?" but "is this camera feed coming from a real camera right now?" Those are fundamentally different problems, and the second one is considerably harder.

That market growth isn't hype — it's organizations finally pricing in a threat they used to ignore. The first wave of formal IAD assessments is now being conducted by biometrics testing labs, working from European standards that are being used as the foundation for an emerging ISO standard. In other words: the industry is slowly, methodically building the rulebook it should have written five years ago.

---

Check One: Don't Rely on the Liveness Test Alone

Ask someone what stops a deepfake from fooling facial recognition, and they'll usually say something about blinking. "Doesn't it ask you to blink? Or turn your head?" Yes, many systems do. And for a while, that was genuinely useful. Early deepfakes couldn't handle real-time challenges — ask the face to look left, and the video would stutter or glitch.

That era is over.

Contemporary face-swap and talking-head models can follow real-time liveness prompts with enough fidelity to pass automated checks. The blink test isn't broken — it's just not sufficient on its own anymore. What investigators need instead is a layered liveness assessment: not just "did the face blink?" but "did the blink happen at a physiologically plausible rate, with natural eyelid motion, combined with the subtle facial micromovement a real human head produces?"

Real faces move in complicated, slightly chaotic ways. A person breathing creates tiny shifts in the position of their nose and cheeks. Eyes don't just open and close — the surrounding muscle groups pull in specific sequences that deepfake models still struggle to replicate consistently across extended video. Investigators trained in this space know to watch a clip for at least 30 seconds before making a call, because synthetic faces tend to "settle" into subtle regularities that real faces never produce.

"Basic liveness challenges like blinking and head turns no longer offer meaningful protection — modern deepfakes can inject synthetic video directly into trusted channels, making traditional automated checks insufficient on their own." — Biometric Update, RSAC 2026 coverage

---

Check Two: The Confidence Score Is Lying to You (Sort Of)

Here's the misconception that causes the most damage in actual casework: a 95% confidence match means the algorithm is 95% sure these two faces are the same person. Right? Previously in this series: Governments Lock Down Biometric Ids Investigators Get Left O.

Wrong. And this is the part that even experienced investigators sometimes miss.

That 95% figure is computed under the conditions present at the moment of matching — the resolution, the lighting, the head angle, the compression level of the image. What it does not tell you is whether those conditions were any good. Benchmark accuracy scores, including the widely-cited NIST FRVT results, are measured under controlled conditions: frontal pose, consistent lighting, high resolution. Real investigations involve motion blur, surveillance camera compression, subjects caught in three-quarter profile at 2 a.m.

Research from Carnegie Mellon's CyLab Biometrics Center has documented confidence score drops of 30–40% at just a 30-degree head angle — even on algorithms that perform exceptionally on frontal imagery. Think about that. A face turned slightly away from the camera — the kind of angle you'd see in almost any real surveillance clip — can cut the algorithm's effective accuracy nearly in half, and the system will still report a number that sounds authoritative. The algorithm doesn't say "warning: suboptimal angle." It just gives you the number it computed.

This is why the analogy that sticks is airport security screening. Facial recognition performs beautifully when subjects walk straight toward a camera in good light — essentially the conditions of a passport control booth. The moment you move to an outdoor surveillance context, with unpredictable angles and changing light, you're operating far outside what the benchmark scores actually describe. You're not getting 99% accuracy anymore. But the system isn't telling you that.

At CaraComp, this gap between laboratory benchmarks and operational accuracy is something we treat as a core part of investigator training — because the moment you trust a score without interrogating the conditions that produced it, you've introduced a vector for error that no algorithm can catch for you.

---

Check Three: Measure the Face Across Time, Not Just One Frame

The third check is the one that's hardest to explain and probably the most powerful: instead of analyzing individual frames for pixel-level artifacts — the blurry edges, the color banding, the "uncanny valley" glitch that deepfakes used to leave behind — advanced detection now measures how a face changes across the sequence of frames in a video. Up next: A 95 Match Score Sounds Solid These 3 Reality Checks Show Wh.

Real faces have what researchers call facial biometric consistency over time. Your face, as captured in video, produces a specific distribution of similarity scores from frame to frame — close but never identical, varying in ways that reflect actual physical motion. Deepfake models, by contrast, tend to produce facial similarity distributions that are either too consistent (the face barely varies because the model is anchored to a source image) or inconsistently variable in ways that don't match human movement patterns.

Research published on ArXiv has formalized this approach — measuring the distribution of biometric facial similarity across video frames as a detection signal — and shown it holds up across different resolutions and compression qualities. That last part matters enormously. Most pixel-artifact detection methods break down when a video is re-compressed or downscaled, which happens constantly when footage gets shared, uploaded, and re-downloaded. A method that works on the face's movement pattern rather than its pixel signature is much harder to defeat with post-processing.

Meanwhile, a comparative evaluation of publicly accessible deepfake detection tools found something humbling: experienced human investigators were correctly flagging deepfakes that automated classifiers were reporting as authentic. The AI tool was returning "real" — silently, confidently — on images a trained human eye could identify through anatomical inconsistencies, implausible lighting, and object-level cues that the classifier wasn't measuring. The automated tool doesn't fail loudly. It fails with a clean result and a high score.

Here's the sharpest way to think about all of this: the skill that used to define a great facial recognition investigator was finding the match. Today, that's table stakes. The real expertise is stress-testing that match against the three ways it might be wrong — a synthetic feed, a punishing camera angle, or a face that passes a snapshot test but moves like no human ever has. Anyone can read a score. The investigator worth trusting is the one who knows when not to.

When you get a key image or video in a case, what's the first reality check you personally run before trusting what you see?