DuckDuckGoose Morphing Attack Detection (MAD) for government identity document issuance: passports, national ID cards and driving licences. Unlike deepfake detection, which looks for AI generation artefacts, and liveness detection, which confirms physical presence, MAD detects composite face morphs at photo submission. Single-image MAD (S-MAD) analyses landmark geometry, texture consistency and frequency-domain artefacts; differential MAD (D-MAD) compares the submitted photo against a live capture. Explainable XAI reports, on-premise deployment, GDPR Article 9 biometric data handling, engineered to EU AI Act Articles 9 to 15 requirements.

Morphing Attack Detection

The morphing attack:
two faces, one photo,
a genuine document.

A morphing attack blends a fraudster's face with a legitimate applicant's. Both verify against the issued document. After issuance, there is no fake left to find. The photo is the only place to stop it.

Engineered to EU AI Act Art. 9–15 ISO 27001 certification underway GDPR Art. 9
morph_synthesis_demo.svg
Attack anatomy
Legitimate holder face_A · genuine Fraudster face_B · attacker Morphed composite both faces verify against this photo Fusion seam · landmark variance · blend artefacts. This is what MAD reads
Live Detection Console

The morphed photo confesses four different ways

One submitted photograph. Four independent analyses, each with its own confidence band in the XAI report. This is what the engine sees. Output shown is illustrative; benchmark data is available under NDA.

mad_console · submitted_photo.jpg · 4-signal analysis
Analysing
landmarks: 68/68 extracted deviation: 3 points > 2.1σ symmetry break: jaw_R+14 submitted_photo.jpg · 68-pt landmark overlay
Signal readout
› extracting 68-pt landmark set
› computing symmetry ratios
› 3 points deviate > 2.1σ
› jaw asymmetry outside natural variance
› signal logged to XAI report
Contribution
landmark_score0.88
recapture_robustyes
latency84ms
0.00CONF
Aggregate verdict
MORPHING
DETECTED
→ human review queue

Each signal carries an independent confidence band in the XAI output, the evidential basis for citizen appeals under national administrative law.

Attack Anatomy

Where a face morph betrays itself

Four regions carry the evidence. None of them visible to the officer at the counter. Move through each marker to see what the human eye cannot.

morphed_submission.jpg · forensic overlay
1

Central fusion seam

Most morphing tools blend along the facial midline. The seam carries gradient discontinuities in skin texture invisible at print resolution but measurable at block level.

2

Periocular landmark drift

Eye-corner and iris-centre landmarks inherit positions from two different faces. The resulting spacing falls outside the natural variance envelope of a single individual.

3

Jawline geometry inconsistency

Jaw contours are notoriously hard to blend cleanly. Asymmetric curvature between left and right jaw segments is a high-weight detection signal, and it survives re-capture.

4

Hairline ghosting

Blended hairlines produce semi-transparent ghost contours and frequency-domain energy in bands where genuine photos carry none. Strongest on digital submissions.

The Issued Document

After issuance, there is nothing left to detect

The card is real. The chip is real. The photo verifies two people. Border gates, banks, and notaries will trust it for ten years. Issuance is the last checkpoint that can say no.

Fraudster face_B · attacker Legitimate holder face_A · genuine MATCH ✓ MATCH ✓
morphed photo
 DDG MAD INTERCEPT ISSUANCE BLOCKED flagged at photo submission · confidence 0.947 NO DOCUMENT ✗ IDENTITY PROTECTED
Processing Pipeline

Photo submission to MAD verdict in under 400ms

One API call inside the workflow you already run. No new hardware at the desk. Nothing changes for the citizen.

Photo intakeDigital portal or
service pointt=0
NormalisationFace crop, alignment,
quality gating~40ms
4-signal MADLandmark · texture ·
frequency · differential~250ms
XAI reportPer-signal confidence,
appeal-ready evidence~50ms
Route decisionClear → issuance
Flag → human review<400ms total
Deployment Topology

Sovereignty is a deployment choice, not a promise

Three topologies. In all three, the biometric boundary is yours to draw. In two of them, biometric data never leaves your infrastructure.

Maximum sovereignty
ISSUING AUTHORITY BOUNDARY Issuance DDG MAD on-prem

Full on-premise

MAD runs entirely inside the issuing authority's own infrastructure. No biometric data crosses any external boundary. Updates delivered as signed, air-gappable releases.

zero egressNL sovereignair-gap capable
AUTHORITY BOUNDARY MAD inference DDG EU cloud model updates only

Hybrid: inference local

Inference runs on-premise; model updates and monitoring flow from DDG's EU infrastructure. Biometric data never leaves the authority's boundary.

data stays localmanaged updatesEU-only telemetry
DDG EU SOVEREIGN CLOUD MAD API NL data residency

EU sovereign cloud

Fully managed API with contractual Dutch data residency, EU-only processing chain, and retention policies agreed at deployment. Fastest to pilot.

NL residencyfastest pilotDPIA supported
Explainability Output

Every MAD decision defensible in an appeal

A flagged citizen has the right to ask why. The report answers in plain language: which signals fired, at what confidence, against which thresholds. Written for the reviewing officer and the appeal file, not the data science team.

Per-signal confidence bands: each of the four signal classes documented independently, never a single opaque score.

Human-readable rationale: written for a reviewing officer, not a data scientist. EU AI Act Article 13 transparency by design.

Immutable audit trail: every analysis logged with model version, thresholds, and reviewer actions for regulatory inspection.

MAD Analysis Reportcase_ref: DEMO-2026-038271 · model v4.2.1
Flagged
Landmark geometry0.88

3 of 68 landmarks deviate >2.1σ from single-identity variance. Jaw asymmetry detected.

Texture consistency0.92

Gradient discontinuity along facial midline consistent with blend seam. 11 of 80 blocks affected.

Frequency domain0.97

Mid-band DCT energy +38% versus genuine baseline. Signature consistent with morphing toolchains.

Differential (vs live capture)0.94

Geometric divergence 0.31 exceeds ageing-adjusted threshold 0.12. Identity inconsistency probable.

Aggregate verdictMORPHING_DETECTED · 0.947

Routed to human review per workflow policy. All four signal classes exceed flag thresholds independently.

Illustrative report · benchmark data under NDA EU AI Act Art. 13 · GDPR Art. 9
Why DuckDuckGoose

Built by the team that detects what humans cannot

DuckDuckGoose is a Delft-based detection company. Our engines analyse manipulated and synthetic imagery for banks, identity verification providers, and forensic institutes. MAD extends the same forensic pipeline to a threat most of the market has not caught up with yet.

500K+
synthetic identities blocked

In production with a single identity verification client, at a false rejection rate below 0.5%.

68%
of morphs pass human review

Peer-reviewed studies show untrained examiners accept 50/50 morphs as genuine at this rate. Machines must do what officers cannot.

1
documented passport morph case was enough

A passport application in Germany made with a morphed photo prompted authorities to reconsider self-submitted photographs. The attack is not theoretical.

Our detection engines are trusted by bunq, Banco Daycoval, and the Netherlands Forensic Institute. The same forensic standards now apply to morphing attack detection.

Morphing Attack Detection FAQ

The questions evaluators ask first

Short answers here. Full technical documentation in the procurement package.

A morphing attack blends the facial photographs of two people, typically a fraudster and a legitimate applicant, into one composite image. If the morphed photo is accepted at issuance, the resulting passport, ID card or driving licence is genuine, and both contributors verify against it. Research has shown a single morphed image can match more than one person, both to algorithms and to human experts. More background on synthetic media threats is on our insights page.
Deepfake detection looks for AI generation artefacts; a morphed photo is a blend of two real photographs and carries none. Liveness detection confirms a person is physically present; the morph is submitted before any live session begins. The research literature confirms that current deepfake detectors cannot effectively discriminate morphed images and that presentation attack detection is not suited to morphs. MAD is a third, purpose-built capability. Our deepfake detection engine, Phocus, covers the AI-generated threat; MAD covers this one.
Single-image MAD analyses the submitted photograph alone: landmark geometry, texture consistency and frequency-domain artefacts. Differential MAD compares the submitted photograph against a trusted live capture and flags divergence beyond ageing and lighting thresholds. D-MAD is generally the stronger signal where a live capture exists; S-MAD covers postal and portal submissions where none does. Technical detail on both pipelines is in our technology documentation.
Reliably, no. Peer-reviewed studies report untrained examiners accept 50/50 morphs as genuine at rates around 68%. The artefacts that betray a morph, such as landmark variance and fusion seams, sit below the threshold of human vision. That is why detection at issuance must be automated, with human review reserved for flagged cases.
Classification depends on deployment context. The final Act excludes pure 1:1 biometric verification and the verification of travel documents from Annex III. DuckDuckGoose engineers MAD to the high-risk requirements of Articles 9 to 15 regardless: risk management, data governance, logging, transparency, human oversight, and accuracy documentation. The system holds whichever way your legal review classifies a given deployment, and we provide the technical file to support that review.
As a REST API call at photo intake, before any live capture. Cleared submissions continue to issuance; flagged submissions route to a human reviewer with an explainable report. Where the workflow includes a live session, differential MAD adds a second, independent layer. Deployment can be fully on-premise, hybrid, or in an EU sovereign cloud. Talk to our team about your workflow, or read more about DuckDuckGoose.
Procurement Readiness

Every claim on this page is documented

RFI and RFP packages, accuracy benchmarks, government reference clients, and confirmed SME eligibility under Directive 2014/24/EU. Request the file and check it.

Request the MAD capability overview
for your procurement file

Written for procurement files, technical evaluators, and programme managers. Not a sales deck.

Request MAD Capability Overview Download MAD Technical Brief