pith. sign in

arxiv: 2604.19365 · v1 · submitted 2026-04-21 · 💻 cs.CV

Detection of T-shirt Presentation Attacks in Face Recognition Systems

Mathias Ibsen , Loris Tim Ide , Christian Rathgeb , Christoph Busch This is my paper

Pith reviewed 2026-05-10 02:30 UTC · model grok-4.3

classification 💻 cs.CV
keywords presentation attack detectionface recognitionT-shirt attacksspatial consistencybiometric securityperson detectioncomputer vision
0
0 comments X

The pith

Combining face and person detectors detects T-shirt presentation attacks by checking spatial consistency of their positions.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper examines T-shirt presentation attacks, in which an attacker wears a shirt printed with a target face to fool face recognition systems. It evaluates this threat on 1,608 attack samples from 100 different T-shirts plus 152 genuine presentations, confirming that the attacks can bypass unprotected systems. The core proposal combines existing face and person detectors to compare the spatial locations of the detected face and body; genuine presentations show consistent alignment while T-shirt attacks produce mismatches. This addresses the difficulty of extending presentation attack detection to previously unseen attack types.

Core claim

State-of-the-art face and person detectors are combined to analyse the spatial positions of detected faces and persons based on which T-shirt attacks can be reliably detected.

What carries the argument

Spatial consistency checks between outputs of face and person detectors

If this is right

  • T-shirt attacks compromise face recognition security unless spatial consistency is enforced.
  • The method achieves reliable detection on the full TFPA database of 1,608 attacks and 152 bona fide cases.
  • The approach generalizes presentation attack detection to this novel attack category without requiring new training data.
  • Combining two off-the-shelf detectors provides a lightweight check that does not alter the underlying recognition pipeline.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same consistency principle could be tested on other wearable attacks such as printed masks or caps that displace the apparent face location.
  • Deployments could add a low-cost person detector stage to existing face systems to cover multiple presentation attack vectors at once.
  • If detector performance varies across lighting or camera angles, the consistency threshold would need calibration on site-specific data.

Load-bearing premise

T-shirt attacks will produce spatial inconsistencies between face and person detections that never occur in real presentations, and the detectors will perform reliably on attack and genuine images alike.

What would settle it

An evaluation set in which every T-shirt attack image yields face and person bounding boxes whose centers align within the same tolerance range as all bona fide samples would falsify the detection approach.

Figures

Figures reproduced from arXiv: 2604.19365 by Christian Rathgeb, Christoph Busch, Loris Tim Ide, Mathias Ibsen.

Figure 1
Figure 1. Figure 1: Can T-shirts with faces printed on them be used to attack face recognition [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Example images of different T-shirt PAs of the TFPA database for a single [PITH_FULL_IMAGE:figures/full_fig_p005_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Example images of different bona fide presentations for a single data subject [PITH_FULL_IMAGE:figures/full_fig_p007_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Two examples in which the detected persons (blue bounding boxes) with the [PITH_FULL_IMAGE:figures/full_fig_p010_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Detection scores obtained using the proposed spacial consistency checks on [PITH_FULL_IMAGE:figures/full_fig_p011_5.png] view at source ↗
read the original abstract

Face recognition systems are often used for biometric authentication. Nevertheless, it is known that without any protective measures, face recognition systems are vulnerable to presentation attacks. To tackle this security problem, methods for detecting presentation attacks have been developed and shown good detection performance on several benchmark datasets. However, generalising presentation attack detection methods to new and novel types of attacks is an ongoing challenge. In this work, we employ 1,608 T-shirt attacks of the T-shirt Face Presentation Attack (TFPA) database using 100 unique presentation attack instruments together with 152 bona fide presentations. In a comprehensive evaluation, we show that this type of attack can compromise the security of face recognition systems. Furthermore, we propose a detection method based on spatial consistency checks in order to detect said T-shirt attacks. Precisely, state-of-the-art face and person detectors are combined to analyse the spatial positions of detected faces and persons based on which T-shirt attacks can be reliably detected.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 1 minor

Summary. The paper evaluates T-shirt presentation attacks on face recognition systems using the TFPA database, comprising 1,608 attack samples from 100 unique PAIs and 152 bona fide presentations. It claims these attacks compromise FR security and proposes a detection method that combines off-the-shelf face and person detectors to perform spatial consistency checks on detected bounding boxes for reliable attack identification.

Significance. If the spatial consistency approach holds, it would provide a simple, parameter-free detection strategy for a novel attack type by exploiting geometric inconsistencies without additional training. This could meaningfully enhance PAD for FR systems. However, the absence of any reported metrics or validation of detector behavior on attack images substantially weakens the assessed impact.

major comments (3)
  1. [Abstract] Abstract: The manuscript states a 'comprehensive evaluation' showing that T-shirt attacks 'can compromise the security of face recognition systems' and that they 'can be reliably detected,' yet provides no performance numbers, error rates, ROC curves, or baseline comparisons on the 1,608 attacks and 152 bona fide samples.
  2. [Detection Method] Detection method description: The central claim rests on analyzing 'spatial positions of detected faces and persons,' but neither the exact geometric rule (e.g., relative vertical position threshold between face and person boxes) nor any decision threshold is specified, leaving the method non-reproducible.
  3. [Evaluation] Evaluation section: No detector-specific results (e.g., face detection recall on printed vs. real faces, person box accuracy on torso-only images) are reported. This directly undermines the weakest assumption that SOTA detectors will localize printed faces and bodies sufficiently to produce class-separable spatial inconsistencies.
minor comments (1)
  1. [Abstract] Clarify whether the 100 unique PAIs refer to distinct T-shirt designs, subjects, or both, and provide a brief description of the TFPA database acquisition protocol.

Simulated Author's Rebuttal

3 responses · 0 unresolved

Thank you for the opportunity to respond to the referee's comments. We have carefully considered each point and provide our responses below, along with plans for revisions where appropriate.

read point-by-point responses

  1. Referee: [Abstract] Abstract: The manuscript states a 'comprehensive evaluation' showing that T-shirt attacks 'can compromise the security of face recognition systems' and that they 'can be reliably detected,' yet provides no performance numbers, error rates, ROC curves, or baseline comparisons on the 1,608 attacks and 152 bona fide samples.

    Authors: We agree that including quantitative results in the abstract would strengthen the summary of our contributions. In the revised manuscript, we will incorporate key performance metrics, such as the success rate of the T-shirt attacks on the face recognition systems and the detection performance of our spatial consistency method, including any relevant error rates or comparisons. revision: yes

  2. Referee: [Detection Method] Detection method description: The central claim rests on analyzing 'spatial positions of detected faces and persons,' but neither the exact geometric rule (e.g., relative vertical position threshold between face and person boxes) nor any decision threshold is specified, leaving the method non-reproducible.

    Authors: The referee correctly identifies that the precise implementation details of the spatial consistency check are not fully specified. We will revise the 'Detection Method' section to provide the exact geometric rules, including the relative position thresholds used to determine inconsistencies between face and person bounding boxes, and the decision criteria for classifying presentations as attacks. revision: yes

  3. Referee: [Evaluation] Evaluation section: No detector-specific results (e.g., face detection recall on printed vs. real faces, person box accuracy on torso-only images) are reported. This directly undermines the weakest assumption that SOTA detectors will localize printed faces and bodies sufficiently to produce class-separable spatial inconsistencies.

    Authors: We acknowledge the importance of validating the detector performance on the specific attack images. Although the manuscript focuses on the overall detection approach, we will add a subsection in the Evaluation to report detector-specific metrics, such as face detection rates on printed T-shirt faces versus bona fide faces and person detection accuracy on the torso-only attack images. This will support the assumption that the spatial inconsistencies are reliably detectable. revision: yes

Circularity Check

0 steps flagged

No circularity: method uses independent off-the-shelf detectors and geometric rules

full rationale

The paper proposes a detection approach that combines existing state-of-the-art face and person detectors with spatial position analysis to identify T-shirt attacks. No equations, fitted parameters, or derivations are presented that reduce to the input data or attack samples by construction. The logic relies on external detector outputs and geometric consistency, which are independent of the TFPA database samples used for evaluation. No self-citations, ansatzes, or uniqueness claims are invoked in the provided text to justify the core method.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The claim rests primarily on the assumption that existing face and person detectors will behave consistently on both real faces and printed T-shirt images, with no free parameters or new entities introduced in the abstract.

axioms (1)
  • domain assumption State-of-the-art face and person detectors produce accurate bounding boxes on both bona fide and T-shirt attack images.
    The spatial consistency check depends entirely on the output quality of these detectors.

pith-pipeline@v0.9.0 · 5465 in / 1205 out tokens · 35620 ms · 2026-05-10T02:30:46.895089+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

36 extracted references · 36 canonical work pages

  1. [1]

    A. F. Abate, M. Nappi, D. Riccio, and G. Sabatino. 2D and 3D face recognition: A survey. Pattern Recognition Letters, 28(14):1885–1906, 2007

    work page 1906

  2. [2]

    Biometrics for public sector applications

    BSI. Biometrics for public sector applications. part 3: Application profiles, function modules and processes. BSI Technical Guideline TR-03121-3 5.4-draft2, Federal Office for Information Security, 2023. Last accessed: 2024-08-20

    work page 2023

  3. [3]

    C. Chen, A. Dantcheva, T. Swearingen, and A. Ross. Spoofing faces using makeup: An investigative study. InIEEE Int’l. Conf. on Identity, Security and Behavior Analysis (ISBA), pages 1–8, 2017

    work page 2017

  4. [4]

    Chingovska, A

    I. Chingovska, A. Anjos, and S. Marcel. On the effectiveness of local binary patterns in face anti-spoofing. InInt’l. Conf. of Biometrics Special Interest Group (BIOSIG), pages 1–7, 2012

    work page 2012

  5. [5]

    Chingovska, A

    I. Chingovska, A. Anjos, and S. Marcel. Biometrics evaluation under spoofing attacks.IEEE Trans. on Information Forensics and Security (TIFS), 9(12):2264–2276, 2014

    work page 2014

  6. [6]

    Costa-Pazo, D

    A. Costa-Pazo, D. P ´erez-Cabo, D. Jim ´enez-Cabello, J. L. Alba-Castro, and E. Vazquez- Fernandez. Face presentation attack detection. a comprehensive evaluation of the generalisation problem.IET Biometrics, 10(4):408–429, 2021

    work page 2021

  7. [7]

    Dantcheva, C

    A. Dantcheva, C. Chen, and A. Ross. Can facial cosmetics affect the matching accuracy of face recognition systems? InIEEE Fifth Int’l. Conf. on Biometrics: Theory, Applications and Systems (BTAS), pages 391–398, 2012

    work page 2012

  8. [8]

    J. Deng, J. Guo, E. Ververas, I. Kotsia, and S. Zafeiriou. RetinaFace: Single-shot multi-level face localisation in the wild. InIEEE/CVF Conf. on Computer Vision and Pattern Recognition (CVPR), 2020. Detection of T-shirt Presentation Attacks in Face Recognition Systems 13

    work page 2020

  9. [9]

    J. Deng, J. Guo, N. Xue, and S. Zafeiriou. ArcFace: Additive angular margin loss for deep face recognition. InIEEE/CVF Conf. on Computer Vision and Pattern Recognition (CVPR), pages 4685–4694, 2019

    work page 2019

  10. [10]

    Drozdowski, S

    P. Drozdowski, S. Grobarek, J. Schurse, C. Rathgeb, F. Stockhardt, and C. Busch. Makeup presentation attack potential revisited: Skills pay the bills. InInt’l. Workshop on Biometrics and Forensics (IWBF), pages 1–6. IEEE, 2021

    work page 2021

  11. [11]

    Erdogmus and S

    N. Erdogmus and S. Marcel. Spoofing 2D face recognition systems with 3D masks. InInt’l. Conf. of Biometrics Special Interest Group (BIOSIG), pages 1–8, 2013

    work page 2013

  12. [12]

    Erdogmus and S

    N. Erdogmus and S. Marcel. Spoofing in 2D face recognition with 3D masks and anti-spoofing with kinect. InIEEE Sixth Int’l. Conf. on Biometrics: Theory, Applications and Systems (BTAS), pages 1–6, 2013

    work page 2013

  13. [13]

    Fatemifar, S

    S. Fatemifar, S. Arashloo, M. Awais, and J. Kittler. Spoofing attack detection by anomaly detection. InIEEE Int’l. Conf. on Acoustics, Speech and Signal Processing (ICASSP), pages 8464–8468, 2019

    work page 2019

  14. [14]

    Technical guide for border checks on entry/exit system (EES) related equipment

    FRONTEX. Technical guide for border checks on entry/exit system (EES) related equipment. https://euagenda.eu/upload/publications/technical-guide-for-border-checks-on- ees-related-equipment.pdf, 2021. Last accessed: 2024-08-20

    work page 2021

  15. [15]

    George and S

    A. George and S. Marcel. Cross modal focal loss for rgbd face anti-spoofing. InIEEE/CVF Conf. on Computer Vision and Pattern Recognition (CVPR), pages 7878–7887, 2021

    work page 2021

  16. [16]

    George and S

    A. George and S. Marcel. On the effectiveness of vision transformers for zero-shot face anti-spoofing. InIEEE Int’l. Joint Conf. on Biometrics (IJCB), pages 1–8, 2021

    work page 2021

  17. [17]

    L. J. Gonzalez-Soler, M. Gomez-Barrero, and C. Busch. On the generalisation capabilities of fisher vector based face presentation attack detection.IET Biometrics, 10(5):480–496, 2021

    work page 2021

  18. [18]

    Ibsen, L

    M. Ibsen, L. J. Gonzalez-Soler, C. Rathgeb, P. Drozdowski, M. Gomez-Barrero, and C. Busch. Differential anomaly detection for facial images. InIEEE Int’l. Workshop on Information Forensics and Security (WIFS), pages 1–6, 2021

    work page 2021

  19. [19]

    Ibsen, C

    M. Ibsen, C. Rathgeb, F. Brechtel, R. Klepp, K. P ¨oppelmann, A. George, S. Marcel, and C. Busch. Attacking face recognition with T-Shirts: Database, vulnerability assessment, and detection.IEEE Access, 11:57867–57879, 2023

    work page 2023

  20. [20]

    Information Technology - Biometric presentation attack detection - Part 3: Testing and Reporting

    ISO/IEC JTC1 SC37 Biometrics.ISO/IEC 30107-3. Information Technology - Biometric presentation attack detection - Part 3: Testing and Reporting. International Organization for Standardization, 2023

    work page 2023

  21. [21]

    D. King. Dlib-ml: A machine learning toolkit.Journal of Machine Learning Research, 2009

    work page 2009

  22. [22]

    Li and A

    S. Li and A. K. Jain.Handbook of Face Recognition. Springer-Verlag, 2 edition, 2011

    work page 2011

  23. [23]

    Q. Meng, S. Zhao, Z. Huang, and F. Zhou. MagFace: A universal representation for face recognition and quality assessment. InIEEE/CVF Conf. on Computer Vision and Pattern Recognition (CVPR), pages 14220–14229, 2021

    work page 2021

  24. [24]

    Mohammadi, S

    A. Mohammadi, S. Bhattacharjee, and S. Marcel. Deeply vulnerable – a study of the robustness of face recognition to presentation attacks.IET Biometrics, 7:15–26, 10 2017

    work page 2017

  25. [25]

    Nikisins, A

    O. Nikisins, A. Mohammadi, A. Anjos, and S. Marcel. On effectiveness of anomaly detec- tion approaches against unseen presentation attacks in face anti-spoofing. InInt’l. Conf. on Biometrics (ICB), pages 75–81, 2018

    work page 2018

  26. [26]

    Raghavendra

    R. Raghavendra. and C. Busch. Novel presentation attack detection algorithm for face recog- nition system: Application to 3D face mask attack. InIEEE Int’l. Conf. on Image Processing (ICIP), pages 323–327, 2014

    work page 2014

  27. [27]

    Raghavendra and C

    R. Raghavendra and C. Busch. Presentation attack detection methods for face recognition systems: A comprehensive survey.ACM Comput. Surv., 50(1):1–37, 2018

    work page 2018

  28. [28]

    Raghavendra, S

    R. Raghavendra, S. Venkatesh, K. Raja, S. Bhattacharjee, P. Wasnik, et al. Custom silicon face masks: Vulnerability on commercial face recognition systems & presentation attack detection. InProc. of the 7th Int’l. Workshop on Biometrics and Forensics (IWBF), 2019

    work page 2019

  29. [29]

    Rathgeb, P

    C. Rathgeb, P. Drozdowski, D. Fischer, and C. Busch. Vulnerability assessment and detection of makeup presentation attacks. InProc. Int. Workshop on Biometrics and Forensics (IWBF), pages 1–6, 2020

    work page 2020

  30. [30]

    G. Ryu, H. Park, and D. Choi. Adversarial attacks by attaching noise markers on the face against deep face recognition.Journal of Information Security and Applications, 60, 2021. 14 Mathias Ibsen, Loris Tim Ide, Christian Rathgeb, and Christoph Busch

    work page 2021

  31. [31]

    Sharif, S

    M. Sharif, S. Bhagavatula, L. Bauer, and M. K. Reiter. A general framework for adversarial examples with objectives.ACM Trans. on Privacy and Security, 22(3), 2019

    work page 2019

  32. [32]

    C.-Y. Wang, A. Bochkovskiy, and H.-Y. M. Liao. YOLOv7: Trainable bag-of-freebies sets new state-of-the-art for real-time object detectors. InConference on Computer Vision and Pattern Recognition (CVPR), 2023

    work page 2023

  33. [33]

    G. Wang, H. Han, S. Shan, and X. Chen. Unsupervised adversarial domain adaptation for cross-domain face presentation attack detection.IEEE Trans. on Information Forensics and Security, 16:56–69, 2020

    work page 2020

  34. [34]

    K. Xu, G. Zhang, S. Liu, Q. Fan, et al. Adversarial T-Shirt! evading person detectors in a physical world. InEuropean Conf. on Computer Vision (ECCV), pages 665–681, 2020

    work page 2020

  35. [35]

    Zhang, Z

    K. Zhang, Z. Zhang, Z. Li, and Y. Qiao. Joint Face Detection and Alignment Using Multitask Cascaded Convolutional Networks.IEEE Signal Processing Letters, 23(10):1499–1503, 2016

    work page 2016

  36. [36]

    W.-Y. Zhao, R. Chellappa, P. J. Phillips, and A. Rosenfeld. Face recognition: A literature survey.ACM Computing Surveys (CSUR) archive, 35(4):399–458, 2003

    work page 2003