Face Anti-Spoofing Based on Deep Learning: A Comprehensive Survey

Abstract

Face recognition has achieved tremendous success in both its theory and technology. However, with increasingly realistic attacks, such as print photos, replay videos, and 3D masks, as well as new attack methods like AI-generated faces or videos, face recognition systems are confronted with significant challenges and risks. Distinguishing between real and fake faces, i.e., face anti-spoofing (FAS), is crucial to the security of face recognition systems. With the advent of large-scale academic datasets in recent years, FAS based on deep learning has achieved a remarkable level of performance and now dominates the field. This paper systematically reviews the latest advancements in FAS based on deep learning. First, it provides an overview of the background, basic concepts, and types of FAS attacks. Then, it categorizes existing FAS methods from the perspectives of RGB (red, green and blue) modality and other modalities, discussing the main concepts, the types of attacks that can be detected, their advantages and disadvantages, and so on. Next, it introduces popular datasets used in FAS research and highlights their characteristics. Finally, it summarizes the current research challenges and future directions for FAS, such as its limited generalization for unknown attacks, the insufficient multi-modal research, the spatiotemporal efficiency of algorithms, and unified detection for presentation attacks and deepfakes. We aim to provide a comprehensive reference in this field and to inspire progress within the FAS community, guiding researchers toward promising directions for future work.

1. Introduction

In the current era of digitalization and intelligence, authentication methods have undergone significant changes. Traditional identity verification methods that rely on physical devices like keys and access cards, which are at risk of loss, so are now being replaced by biometric authentication [1]. Common biometric recognition options include the face [2,3], fingerprint, iris, palm print, ear, voice [4], finger vein, and gait [5]. Fingerprint data are easy to collect but can be affected by the condition of a user’s skin, reducing accuracy. Iris recognition requires specific equipment, making collection difficult. Finger vein data offers high levels of security, but the equipment is not widely available and contact is required, which limits efficiency. Due to the rapid proliferation of image capture devices, facial data are no longer difficult to acquire. Face recognition (FR) [6,7,8], due to its simplicity, non-contact nature, and high accuracy, is now widely used in areas such as airport and station access, telecom service processing, financial authentication, and employee attendance management [9].

However, the rapid growth of FR has also introduced new security risks. Using forged faces to bypass a face recognition system (FRS) can lead to face spoofing attacks. According to a report by China Central Television (CCTV) Finance, in the first half of 2024, multiple cases of criminals wearing silicone face masks to impersonate others and commit theft occurred in Shanghai and Xuzhou, Jiangsu. Using silicone face masks as a disguise during criminal activities is becoming a new tactic for some criminals. Particularly in the era of generative artificial intelligence (GAI), almost nothing seems impervious to being overturned. Even long-held beliefs like “seeing is believing” and “pictures as proof” are losing credibility. In February 2024, the Hong Kong police disclosed an AI-powered “multi-face swapping” fraud case involving a loss of 200 million Hong Kong dollars. These cases illustrate that FRSs without anti-spoofing verification cannot ensure security, posing a significant threat to users’ privacy and property. Accurately determining the authenticity of faces is crucial for user security.

Today, significant breakthroughs in face recognition have been made. However, face recognition still has potential risks and faces various attacks, including those in both the digital and physical domains [10]. These attacks have raised urgent public security concerns such as user privacy leaks, identity theft, and financial fraud. As shown in Figure 1, in steps ① and ②, respectively, FRSs are susceptible to both physical and digital face attacks [10]. Malicious attackers can easily launch various physical presentation attacks during the face capture stage (i.e., step ①) and can use various digital forgery means (i.e., step ②) to attack a FRS.

With the rapid development of generative adversarial networks (GANs) [11], face deepfakes have been dramatically improved and forged faces and videos [12] are becoming more and more sophisticated. As shown in the upper part of Figure 1, face deepfakes refer to a face manipulation technology based on deep learning (DL). It can purposefully manipulate faces in images and videos, including through face attribute manipulation [13], face reenactment, face swapping, entire face synthesis, etc. [14]. However, in real environments, FRSs typically capture images through devices and input them directly into the system. Conducting various attacks on digital images during transmission is challenging, whereas physical attacks are easier to implement. In the physical realm, FRSs can be compromised by presentation attacks (PAs), including print attacks, replay attacks, 3D mask attacks, physical adversarial attacks, as well as makeup and tattoos [15]. Therefore, we focus on discussing presentation attacks and detection methods in the physical domain.

1.1. Related Works

The existing literature reviews or surveys on FAS tend to focus on a single topic or lack comprehensiveness. Raheem et al. [16] discussed various indicators of face liveness detection (FLD) in detail, providing a reference for devising suitable solutions to face spoofing problems. However, it did not cover DL for FAS. Jia et al. [17] discussed 3D mask face anti-spoofing methods in detail from both software and hardware perspectives. Although DL algorithms were explored, the number of referenced studies was limited. Safaa et al. [18] centred on the application of a convolutional neural networks (CNNs) without addressing the generalization of face anti-spoofing. Abdullakutty et al. [19] concentrated on DL-based methods and multi-modal fusion face anti-spoofing algorithms, but lacked sufficient a discussion on generalization aspects. Khairnaret et al. [20] mainly paid attention to the bibliometric analysis of PAs based on domain adaptation.

Recent surveys have provided new insights into FAS. For instance, a review [15] outlined DL techniques but lacked a focus on traditional methods. Similarly, a review on face adversarial attacks [21] analyzed adversarial techniques but overlooked areas like multimodal fusion and domain generalization. The comprehensive review [22] offered an overview of both DL-based and traditional hand-crafted approaches, but did not discuss cross-domain learning in-depth. Furthermore, a review [23] concentrated on liveness detection in smartphone scenarios yet did not address the broader FAS field. Additionally, the review [24] mentioned domain generalization issues in FAS but did not thoroughly analyze the specific implementation challenges or limitations involved.

Table 1. A summary of the previous literature reviews.

Ref.	Year	Ref. Count	Topics and Observation	Disadvantages	Our Article
[16]	2019	208	Various indicators of FLD	It does not cover DL-based FAS algorithms.	We provide a systematic introduction to DL-based methods.
[17]	2020	57	FAS methods on 3D masks	The number of DL-based algorithms was very small.
[18]	2020	58	The application of CNN in face and iris attack detection	Did not address the generalization of FAS methods.	We provide a detailed introduction to the cross-domain FAS, including DA, domain generalization (DG), zero-/few-shot learning, and anomaly detection.
[19]	2021	163	DL-based methods and FAS on multi-modal fusion	Sufficient discussion on generalization.
[20]	2021	23	Face presentation attacks and detection based on domain adaptation (DA)	Lacked other classification
[21]	2021	115	A literature review on face adversarial attacks and defenses	Lack of a consistent evaluation framework, and omission of experimental datasets.	Our review summarizes detection methods for various types of presentation attacks, including adversarial attacks.
[10]	2022	253	A literature review on face attacks and detection methods from the perspectives of digital and physical domains.	The introduction of face adversarial attacks and defenses methods in general.
[15]	2022	252	A comprehensive review on FAS based on DL	The discussion of cross-domain FAS issues requires a more in-depth examination, and the analysis of FAS on smartphones requires improvement.	We include not only DL-based methods but also FAS methods combining with handcrafted and DL approaches, as well as smartphone-based detection methods.
[22]	2023	188	A comprehensive review of FAS based on DL and traditional handcraft features	The discussion on cross-domain FAS needs to be more in-depth. Moreover, the analysis of FAS on smartphones needs to be improved.
[23]	2023	15	A survey on FAS techniques for smartphones	Lack of discussion on standardized evaluation and insufficient exploration of future directions.
[24]	2023	275	A survey on DG methods across various application domains	Although the review includes a summary of methods for FAS, it needs a systematic approach.	We provide a detailed introduction to the cross-domain generalization of FAS

summarizes the characteristics and limitations of the existing literature reviews on FAS. Overall, current reviews in the FAS field tend to have a narrow focus and lack a holistic and integrative perspective. Key areas, such as the systematic exploration of domain generalization, multimodal fusion, the spatiotemporal efficiency of algorithms, and the unified detection of presentation attacks and deepfakes remain underexplored. In addition, discussions on generalization capability, handling of complex attack scenarios, and emerging approaches such as self-supervised and few-shot learning could be further expanded. Our review aims to provide a more comprehensive and in-depth analysis of the FAS field, offering valuable insights to guide future research directions.

1.2. Motivation and Contribution

In recent years, DL has significantly advanced the field of FAS, especially with the support of large-scale datasets. However, existing reviews often focus on single topics and need a more comprehensive analysis of different modalities, the generalization capabilities of algorithms, and spatiotemporal efficiency. Therefore, a systematic review of FAS based on DL holds academic and practical significance in exploring current research bottlenecks and future directions.

Firstly, DL techniques, such as CNNs, GANs, and contrastive learning have achieved notable success in FAS. However, challenges remain in addressing their generalization to unseen attacks and cross-domain applications. A comprehensive review of these methods will facilitate an understanding of their strengths and weaknesses, promoting further development in the field. Secondly, integrating multi-modal information (e.g., RGB, depth images, infrared) shows potential for enhancing FAS detection capabilities, but it also increases computational complexity. Summarizing the pros and cons of multi-modal methods can guide future research toward balancing accuracy and efficiency. Finally, the real-time performance and efficiency of FAS algorithms in smart devices require attention. A review can analyze the performance of algorithms across different devices, helping researchers understand how to maintain detection accuracy while reducing computational costs and ensuring real-time operation.

Based on previous research, this article comprehensively introduces the types of face presentation attacks and detection methods based on DL. Compared to previous reviews, this survey is unique in the following three aspects:

(1)

This article comprehensively surveys face presentation attacks and detection methods based on DL, including face anti-spoofing on smartphones.

(2)

This survey covers 229 multiple articles, categorizing them into smaller sub-topics, and provides a comprehensive discussion.

(3)

This survey reveals the current challenges and future research trends about face anti-spoofing and provides a reference basis for research in face authentication.

The rest of this survey is organized as follows. Section 2 reviews face presentation attacks designed to deceive a FRS. Next, we introduce detection methods against face presentation attacks in Section 3. We discuss the experimental datasets in Section 4. Furthermore, we discuss current challenges and potential future research directions in Section 5. At the end, Section 6 is the conclusion.

2. Attack Types

Presentation attacks [15] refer to an attempt by an attacker to deceive an FRS by presenting spoof face images, videos, or masks to trick the system into incorrectly verifying or recognizing the identity. Presentation attacks [15] mainly include impersonation attacks and obfuscation attacks. Impersonation attacks mainly include print, replay, and 3D mask attacks. Obfuscation attacks primarily consist of makeup attacks, tattoo attacks, funny glasses attacks, wig attacks, and physical adversarial attacks [21], which the attacker can directly initiate. The topology of face presentation attack types is shown in Figure 2. The details are introduced below.

2.1. Impersonation Attacks

Print attacks refer to an attack method in which the attacker prints the target user’s face on paper and presents it in front of the camera to deceive the FRS. This attack method is straightforward and typical. Some attackers will cut out the eyes, nose, mouth, and other parts of the photo to expose the attacker’s organs and simulate the blinking and opening of a real person’s mouth, significantly increasing the difficulty of liveness detection. Examples of print attacks are shown in Figure 3a. For example, in the CASIA-MFSD [25] database, print attacks are collected by photographing printed photos. Specifically, a face image is first printed, and the photo is then distorted or cropped to “simulate” an honest face. Finally, the distorted or cropped photo is recorded to generate a spoofing face video. CASIA-MFSD used three cameras to capture face images at three different quality levels. Low-quality videos were captured using a long-time-used USB camera with a resolution of $640\times 480$ pixels. Normal-quality videos were recorded with a newly purchased USB camera at $480\times 640$ pixels. Furthermore, high-quality videos were recorded using a high-resolution Sony NEX-5 camera with a maximum resolution of $1280\times 720$.

Reply attacks refer to an attack method in which an attacker uses the replay function of an electronic device to play a video of the target user and presents it in front of the camera of the capture device. This attack method is more threatening than a photo printing attack. Video replay attacks can easily invalidate algorithms that detect facial movements, posing a considerable challenge to the versatility of liveness detection algorithms. Examples of replay attacks are shown in Figure 3b.

In the CASIA-MFSD [25] database, a reply attack is performed by displaying high-resolution real videos on an iPad. Due to the iPad screen’s resolution limitation, the device inevitably downscales the original high-resolution ($1280\times$ 720) videos. The MSU-MFSD dataset [26] divides replay attacks into two cases. One involves recording with a Canon 550D camera and replaying the video on an iPad Air, and the other involves recording with an iPhone 5S and replaying it on the same device.

Figure 3. Various attack examples: (a) print attacks from CASIA-MFSD [25]; (b) replay attacks from CASIA-MFSD [25]; (c) 3D masks from HiFiMask [27]; (d) obfuscation attacks [28]; (e) physical adversarial attacks: Adv-glasses [29], Adv-makeup [30], Adv-hat [31], Adv-sticker [32].

Figure 3. Various attack examples: (a) print attacks from CASIA-MFSD [25]; (b) replay attacks from CASIA-MFSD [25]; (c) 3D masks from HiFiMask [27]; (d) obfuscation attacks [28]; (e) physical adversarial attacks: Adv-glasses [29], Adv-makeup [30], Adv-hat [31], Adv-sticker [32].

A 3D masks attacks involves creating masks from materials like resin, plaster, or silicon to mimic a target user’s face and deceive a FRS. These attacks are rare and complex due to the challenges in obtaining accurate 3D facial data, which requires specialized equipment, as well as the high cost and time involved in producing realistic masks. Inferior masks can be easily detected using simple texture features, but advanced masks with realistic textures can often bypass most liveness detection algorithms. However, due to the difficulties and costs associated with creating 3D masks, detection methods still primarily focus on photo and video replay attacks. Examples of 3D mask attacks are shown in Figure 3c. For example, the HiFiMask [27] dataset includes 25 subjects with yellow, white, and black skin tones to promote a fair AI and reduce bias caused by skin colour (a total of 75 subjects).

2.2. Obfuscation Attacks

Obfuscation attacks involve disguising facial features using various methods to interfere with or deceive a FRS. For example, the SiW-M [28] dataset comprises 13 spoof types, including print attacks, replay attacks, 3D masks, makeup attacks, and partial attacks. Examples of obfuscation attacks are shown in Figure 3d. These attacks pose significant threats as they can effectively disrupt or mislead such systems, impairing their ability to accurately identify individuals. Typically, obfuscation attacks use visual disguises that force the FRS to retrain on standard features, thereby reducing system security and reliability.

Tattoo attacks involve applying tattoos to the face or other visible areas to create disruptive patterns that affect the performance of a FRS.

Funny glasses attacks involve wearing specially designed glasses with exaggerated patterns or colors to interfere with facial recognition algorithms.

Wig attacks involve using wigs to change the appearance of hair, which affecting the system’s assessment of hair and overall facial features.

Makeup attacks refer to attackers using makeup to deceive to alter facial features in an attempt to deceive a FRS. For example, heavy makeup may cover key features like the eyes or nose.

Physical adversarial attacks [21] refer to introducing subtle, carefully designed physical perturbations to face images in the real world, aiming to mislead the FRS. Unlike digital adversarial attacks, physical adversarial attacks involve disrupting the face in actual environments to cause the FRS to produce incorrect identity recognition results. Examples of physical adversarial attacks are shown in Figure 3e.

3. Face Anti-Spoofing

Face attacks and detection methods are an arms race, with attackers continuously developing new technologies to breach the FRS, including face presentation attacks, face deepfakes, and adversarial attack examples. FAS has evolved from handcrafted feature extraction to DL-based models, gradually addressing more complex attack techniques. Researchers have introduced domain adaptation and adversarial learning methods to enhance cross-domain generalization. Multi-modal fusion and 3D information are also employed to tackle more sophisticated 3D mask attacks. Recent advancements include meta-learning and self-supervised learning, which aim to improve the model adaptability to meet practical application requirements. As shown in Figure 4, we have summarized the topology of FAS.

3.1. FAS with RGB Camera

3.1.1. FAS Combining Handcraft and DL

It can be seen from the reviews [15,22] that the research on FAS prior to 2018 primarily focused on traditional manual feature extraction, with its primary strategy being to identify deception clues from the prostheses, which required extensive prior knowledge. Some methods were based on random motion, such as gaze tracking [33,34], eye blinking [35,36], nodding and smiling [37], lip reading [38], etc. Some methods focused on life information, for example, remote Photoplethysmography (rPPG) [39,40,41], optical flow [42,43], and face micro-movements [44,45]. Moreover, texture features were extracted for FAS, including local binary pattern (LBP) [46], local binary pattern on three orthogonal planes (LBP-TOP) [47], color distortion texture [48], scale-invariant feature transform (SIFT) [49], speeded-up robust features (SURF) [50], histogram of oriented gradients (HOG) [51], difference of Gaussian (DoG) [52],and so on. Some researchers have paid attention to image quality features, including specular reflection, color distribution and sharpness [26,53]. In addition, some sensors were used for FAS, such as infrared images [54,55], light fields [56,57], and depth maps [58]. Typical handcrafted methods are shown in

Table 2. Methods based on traditional handcrafted features. For simplicity, 2D-P represents print attacks, 2D-R represents replay attacks, 3D-M represents 3D masks attacks, OA represents obfuscation attacks, and Adv represents physical adversarial attacks. All subsequent tables are similar.

Methods	Main Idea	Ref.	Attacks	Advantages	Disadvantages
Methods based on motion	Gaze tracking	[33,34]	2D-P	Taking into account motion characteristics, they can effectively resist print attacks.	It is difficult to deal with replay videos attacks, longer detection time.
	Eye blinking	[35,36]
	Nodding and Smiling	[37]
	Lip reading	[38]
Methods based on life information	rPPG	[39,40,41]	3D-M	High accuracy under specific constraints.	Video input is required but lacks robustness when highly affected by external lighting and individual movements.
	Optical flow	[42,43]	2D-P, 2D-R
	Micro-movements	[44,45]	2D-P, 3D-M	High accuracy and strong generalization for print attacks.
Methods based on texture	LBP, LBP-TOP	[46,47]	2D-P	With a small amount of calculation and a relatively stable environment, it can effectively resist print and replay attacks.	It is easily affected by recording equipment, lighting conditions, and image quality, and its generalization capability across datasets is not strong.
	Color texture	[48]
	SIFT	[49]
	SURF	[50]
	HOG	[51]
	DoG	[52]
Methods based on image quality	Image specular reflection, color distribution, and sharpness	[26,53]	2D-P	Relatively strong cross-dataset generalization ability for single-type spoofed faces while offering a fast processing speed.	It is more sensitive to changes in the external environment and difficult to resist high-resolution matte photo and video attacks.
Methods based on hardware	Infrared image	[54,55]	2D-P, 2D-R	High accuracy	It requires the addition of expensive hardware devices, and the time of processing images increases.
	Light field	[56,57]
	Depth map	[58]

. As shown in Table 2, these algorithms are categorized based on the types of attacks they are generally effective at detecting, along with an analysis of their advantages and disadvantages. Despite their effectiveness in specific scenarios, these traditional methods often require improvement, such as necessitating user cooperation, being susceptible to external conditions, and needing additional hardware. With the development of deep neural networks (DNNs), many researchers have begun to use DNNs to extract the features of face images for FAS.

Yang et al. [59] introduced DL to FAS for the first time in 2014, demonstrating the positive impact of CNN on face liveness detection. Since then, researchers have integrated traditional features with DNN to enhance the performance of FAS. By combining handcrafted features like LBP [46] and HOG [51] with DNN, these algorithms use methods like cascade fusion, feature-level fusion, and to improve spoofing detection. Traditional features capture detailed textures, while DL-based models identify complex patterns, improving the algorithm’s accuracy and robustness. However, this may increase computational complexity and processing time.

Cascade model fusion: Feng et al. [60] proposed a layered neural network to fuse shearlet-based image quality and optical flow-based motion cues for face liveness detection. Li et al. [61] fully utilized the differences in reflective characteristics between real faces and 3D masks. Li et al. [62] combined optical flow with video frames as CNN input, employing spatial and channel attention for adaptive classification. Li et al. [63] leveraged VGG for extracting features, applied principal component analysis (PCA) for dimensionality reduction, and employed Support Vector Machine (SVM) for classification. Asim et al. [64] cascaded LBP-TOP with CNN to capture spatio-temporal features via histograms from CNN layers, and classified by SVM with nonlinear RBF kernel. Shao et al. [65] extracted features with CNN, used optical flow for facial motion detection, and jointly learned spatial and channel features. Agarwal et al. [66] utilized the power of CNN filters and texture encoding for silicone mask attacks. Ya et al. [67] integrated face image quality assessment (FIQA) with neural network decomposition for improving generalization.

Feature-level fusion: Khammari et al. [68] proposed a dual-stream approach combining LBP and simplified weber local descriptor (SWLD) encoded CNN. The fused features ensured the preservation of the local intensity information and the orientations of the edges. Yu et al. [69] developed a method using rPPG signals and vision transformer (ViT) to detect 3D mask attacks by analyzing the physiological differences between real faces and spoofed masks. Li et al. [70] addressed replay video attacks via motion blur analysis, extracting temporal blur descriptors with a 1D CNN and blur width using local similarity pattern (LSP) features, which were fused for detection. Chen et al. [71] introduced a method combining deep features extracted by CNN and color texture features by using rotation-invariant local binary pattern (RI-LBP), applying the fused data to an SVM for classification.

Decision-level fusion: CHEN et al. [72] proposed a FAS algorithm that utilized an improved Retinex-LBP to extract key texture and illumination features from the image, combined with R-CNN for deep feature extraction. Sharifi et al. [73] used CNN and overlapped histograms of local binary patterns (OVLBP) methods to extract facial features and employed score-level and decision-level fusion strategies to achieve more accurate FAS detection. Solomon et al. [74] separately extracted image quality features and deep features using ResNet50 for classification and combined their confidence scores to make the final decision.

Table 3. Overview of hybrid FAS: The symbol “√” indicates the presence of the corresponding attack type within the dataset. All subsequent tables are similar.

Strategies	Main Idea and Ref.	Datasets	Attacks			Advantages	Disadvantages
			2D-P	2D-R	3D-M
Cascade model fusion: Traditionally, handcrafted feature extraction is used as a preprocessing step, followed by further processing of the extracted features using a DL to achieve finer features.	Dense optical flow-based motion features, shearlet-based image quality features and DNN [60]	CASIA MFSD	√	√		Cascaded models can progressively refine and extract more complex features, thereby enhancing their classification capability.	(1) If the feature extraction in the preceding model has issues, subsequent steps will be affected, leading to a decline in the overall performance. (2) There may be feature gaps or incompatibilities between handcrafted features and deep features, resulting in performance saturation.
		Replay-Attack	√	√
		3D-MAD			√
	Image reflectance and 1D CNN [61]	3D-MAD			√
		HKBU-M V2			√
	The optical flow-based motion features and texture cues, attention module and CNN [62]	Replay-Attack	√	√
		OULU-NPU	√	√
		HKBU-MARs V1			√
Cascade model fusion: The DL and handcrafted feature extraction processes are sequential. The DL model is used to extract deep features, which are then subjected to handcrafted feature processing for further operations or analysis.	VGG features, PCA and SVM [63]	CASIA MFSD	√	√
		Replay-Attack	√	√
	CNN, LBP-TOP and SVM [64]	CASIA MFSD	√	√
		Replay-Attack	√
	CNN features and optical flow-based motion features [65]	3DMAD			√
	CNN filters, texure encoding and SVM [66]	SMAD			√
	FIQA and Resnet [67]	SiW	√	√
		SiW-M	√	√	√
Feature-level fusion: During the feature extraction stage, traditional handcrafted features are fused with deep features extracted by DL models.	LBP, SWLD, and CNN [68]	CASIA MFSD	√	√		The synergy between features enhances the model’s capabilities.	Aligning and processing features from different sources is necessary, which increases the complexity and reduces the model’s interpretability.
		Replay-Attack	√	√
	Combination rPPG and ViT [69]	3D-MAD			√
		HKBU-M V2			√
	1D CNN and motion blur features with LSP [70]	Replay-Attack	√	√
		OULU-NPU	√	√
	Color texture features with RI-LBP and CNN [71]	NUAA [52]	√
		CASIA MFSD	√	√
Decision-level fusion: Handcrafted features and deep features are processed separately by independent classifiers (or detectors). The final prediction result is obtained through decision fusion, such as voting or weighted voting.	Retinex-LBP and R-CNN [72]	CASIA MFSD	√	√		Fusion occurs only at the final decision stage, without the need to align or process the features themselves, offering high flexibility.	Independent processing may lead to information redundancy or conflict, and the algorithm highly depends on the fusion strategy.
		Replay-Attack	√	√
		OULU-NPU	√	√
	CNN features and OVLBP [73]	Replay-Attack	√	√
	Image quality features and deep features using ResNet50 [74]	OULU-NPU	√	√
		CASIA-MASD	√	√
		Replay-Attack	√	√
		MSU MFSD	√	√
		SiW	√	√

lists hybrid FAS using handcrafted features and DL. As shown in Table 3, combining different techniques with deep learning enables the detection of more complex types of attacks. For example, in [62], by integrating facial motion and texture cues, it was possible to detect 2D print, 2D replay, and 3D mask attacks.

3.1.2. FAS Based on Traditional DL

Early training of DNN in FAS struggled to outperform traditional handcrafted methods due to the need for large-scale data. However, advancements in architectures like U-Net [75] and DenseNet [76], along with large-scale datasets such as CelebA-spoof [77] and HiFiMaskt [27], have propelled end-to-end DL methods to dominate the FAS field. Unlike hybrid methods that integrate partially handcrafted features and have no learnable parameters, traditional end-to-end DL methods directly learn the mapping function from facial input to spoof detection. During model training, deep models can use binary loss supervision, pixel-level supervision, pseudo-depth labels, binary mask labels, and other labels to distinguish between real and spoof faces. In addition to using spatial information for facial spoof detection, temporal sequences between video frames can also be used to extract spoofing features. Based on the type or source of the spoofing cues, we categorize traditional DL-based FAS methods into five types: binary supervision methods, depth map methods, binary mask methods, spatiotemporal information fusion methods, and spoof trace separation methods. Below, we provide a detailed explanation of these methods.

A.

FAS Based on Binary Supervision

In the early stages of applying DL to FAS, researchers treat the task of distinguishing between real and fake faces as a simple binary classification problem. When training neural networks, the training data is labelled with 0 and 1 to represent fake faces and real faces, respectively, and classification is achieved by calculating the difference between the network’s predictions and the 0/1 labels using Binary Cross Entropy (BCE) loss. The flowchart of this type of method is shown in Figure 5.

Lucena et al. [78] proposed a transfer learning method that used the sigmoid function for the binary classification of real and fake faces, achieving state-of-the-art results on the 3DMAD and Replay-Attack datasets. Nagpal et al. [79] adjusted Inception-v3 [80], ResNet-50 [81], and ResNet-152 [81] for binary classification, evaluated their performance on the MSU-MFSD dataset, and provided evaluation results and application suggestions for the three models. To address the difficulty of obtaining spoofed face data for DL, Guo et al. [82] first converted 2D printed photos into 3D objects, then simulated operations such as bending and rotating the printed photos in 3D space to synthesize a large number of 3D virtual spoofed photos. Finally, they used the synthesized samples to train a modified ResNet-50 and present the binary classification results. On the other hand, considering the weak intra-class and inter-class constraints of BCE loss, some studies modify the BCE loss to provide CNN with more discriminative supervisory signals. Xu et al. [83] reformulated FAS as a fine-grained classification problem instead of a binary classification problem and used type labels (e.g., bonafide, print, and replay) for multi-class supervision. However, FAS models supervised with multi-level CE loss may fail when faced with high-fidelity PAs. To learn a compact space with small intra-class distances and large inter-class distances, Almeida et al. [84] introduced contrastive loss and triplet loss. However, unlike visual retrieval tasks, bonafide and PAs in FAS tasks usually have asymmetric internal distributions (more compact and diverse, respectively). Based on this evidence, Wang et al. [85] proposed using asymmetric angular margin softmax loss to supervise FAS patch models, thereby relaxing the intra-class constraints among PAs.

Table 4. Overview of methods for FAS based on binary supervision.

Ref.	Main Idea	Supervision	Datasets	Attacks				Advantage	Disadvantage
				2D-P	2D-R	3D-M	OA
[78]	Transfer learning and CNN	BCE	Replay-Attack	√	√			The method is simple and intuitive, providing clear training signals and stable training based on mature technology.	It is prone to failure when faced with high-fidelity attacks, such as high-definition spoofing videos.
			3DMAD			√
[79]	Analysis of effectiveness on CNN	BCE	MSU-MFSD	√	√
[82]	3D virtual synthesis as input	BCE	Replay-Attack	√	√
			CASIA-MASD	√	√
[83]	Fine-grained multi-class supervision	Multi-level BCE	SiW	√	√
			OULU-NPU	√	√
			SiW-M	√	√	√	√
[84]	Learning compact spaces with small intra-class distances and large inter-class distances	Contrast loss, triple loss	Replay-Attack	√	√
			CASIA-MFSD	√	√
			OULU-NPU	√	√
			RECORD-MPAD	√	√
[85]	Supervising FAS patch model via asymmetric corner softmax loss to relax intra-class constraints	softmax loss	Replay-Attack	√	√
			CASIA-MFSD	√	√
			OULU-NPU	√	√
			MSU-MFSD	√	√
			SiW	√	√

shows an overview of the methods for FAS based on binary supervision. As shown in Table 4, FAS methods based on binary supervision are suitable for detecting common 2D print and 2D replay attacks in environments where the attack types are known, labels are clear, and both spoof and genuine samples are available. They are well-suited for deployment in fixed-data scenarios that require only a binary real/spoof judgment rather than a detailed attack-type classification, typically in low- to medium-risk applications.

B.

FAS Based on Depth Maps

In the field of computer vision, a depth map is an image or image channel that contains information about the distance from the surface of the target object to the viewpoint. When applied to FAS, the depth map highlights the differences in distance between the surface of real and spoofed faces and the camera. For real faces, which have a three-dimensional structure, there are significant distance variations between different regions (such as the nose and ears) and the camera. In contrast, spoofed faces are typically planar, resulting in little to no variation in the distances between different regions of the spoofed face and the camera. The specific training process is illustrated in Figure 6. Initially, the depth maps corresponding to real or spoofed face images are used as supervisory signals to guide the model in predicting the depth map of the input image. Subsequently, a depth supervision loss is employed to make the final classification decision.

Atoum et al. [86] proposed a dual CNN method combining global and local facial features. First, one CNN was used to obtain a depth map of the image globally (i.e., spatial cues) and provide a “live” score based on this information. Then, another CNN learned distinguishable texture features from randomly selected small local patches of the image and provided another score. Finally, these two scores were fused to obtain the final decision, enhancing the accuracy of the judgment. However, FAS methods face two significant challenges: extracting dynamic features from multi-frame image sequences increases the model’s time complexity, and expert-designed network structures struggle to capture fine-grained information in images and quickly adapt to different environments.

To enhance the automatic design and fine-grained depth feature acquisition capabilities, Yu et al. [87] first introduced neural architecture search (NAS) into FAS to automatically find the optimal backbone architecture for capturing central difference convolution (CDC). They also designed multiscale attention fusion (MAFM) to refine and fuse low, mid, and high-level CDC features through spatial attention. On this basis, they extend CDCN to a more automated and better-performing CDCN++. To ensure NAS for FAS generalize well to new environments and new types of attacks, Yu et al. [88] further developed CDC and pooling operators, exploited an efficient static-dynamic representation for mining the FAS-aware spatio-temporal discrepancy, and proposed domain/type-aware Meta-NAS for robust searching. Zheng et al. [89] designed a dual-stream spatial-temporal network to explore potential depth and multiscale information. In this network, a temporal shift module was introduced to extract temporal information, and symmetric loss was used for more accurate auxiliary supervision in depth information estimation network. Finally, a scale-level attention module was introduced to fuse information from the dual-stream network to determine the authenticity of the image.

All in all, FAS based on depth map supervision can better capture the three-dimensional structure and details of the face, reduce artifacts caused by illumination changes, angle changes, etc., and improve the recognition rate. However, synthesizing 3D shape labels for each training sample is expensive and inaccurate, and it also lacks the rationality for real-depth PA (such as 3D masks and mannequins).

Table 5. Overview of methods for FAS based on depth map.

Ref.	Main Idea	Supervision	Datasets	Attacks				Advantages	Disadvantages
				2D-P	2D-R	3D-M	OA
[86]	Dual CNN method combining global and local features of face.	Depth map	Replay-Attack	√	√			It can better capture the 3D structure and details of the human face; reduce artifacts caused by changes in lighting and angles, etc.; and has strong applicability.	The process of synthesizing 3D shape labels is costly and time-intensive. For 3D mask attacks or mannequin model attacks, since these attacks also have real depth information, they are more difficult to detect.
			CASIA-MFSD	√	√
			MSU-USSA	√	√
[87]	CDCN can capture detailed patterns via aggregating intensity and gradient information, and the MAFM module obtain afiner-grained features.	Depth map	Replay-Attack	√	√
			CASIA-MFSD	√	√
			OULU-NPU	√	√
			MSU-MFSD	√	√
			SiW	√	√
			SiW-M	√	√	√	√
[88]	An efficient static-dynamic representation for mining the FAS-aware spatio-temporal discrepancy and Meta-NAS for robust searching.	Depth map	Replay-Attack	√	√
			CASIA-MFSD	√	√
			OULU-NPU	√	√
			MSU-MFSD	√	√
			SiW	√	√
			SiW-M	√	√	√	√
			CASIA-SURF			√
			3DMAD			√
			HKBU-M V2			√
[89]	A dual-stream spatial-temporal network was designed to explore depth information and multiscale information.	Time, depth map	Replay-Attack	√	√
			CASIA-MFSD	√	√
			OULU-NPU	√	√
			SiW	√	√
			NUAA	√

shows an overview of methods for FAS based on a depth map.

C.

FAS Based on Binary Masks

Compared to depth map supervision, binary mask labels are easier to generate. With binary mask labels, we can determine whether a PA occurs in the corresponding patch, which is attack-type agnostic, spatially interpretable, and easier to generalize to all PAs. The flowchart of this type of method is shown in Figure 7.

George et al. [90] trained the model using both binary and deep pixel-wise supervision, relying solely on frame-level information. As a result, the approach attained low computational and time overhead. However, due to the limited amount of training data available, the method suffered from a weak generalization capability. Hossain et al. [91] introduced a learnable attention module to refine features, mitigating the limitations of noisy binary mask labels, especially in partial attacks. Sun et al. [92] demonstrated that local label supervision outperformed global labels for small datasets, introducing ternary labels (real, spoofed, and uncertain background) to improve pixel-level predictions. Other researchers, based on the difference in facial material-related reflectance between live skin and spoof media, proposed using both depth and reflection labels to supervise depth models [93,94]. Yu et al. [93] leveraged material differences between real skin and spoof media, using bilateral convolutional networks (BCNs) with depth, reflection [95], and patch maps for supervision. Despite significant progress in facial depth auxiliary supervision, there remain considerable challenges in modelling lightweight temporal networks. Yu et al. [96] proposed a novel pyramid supervision, guiding depth models to learn local details and global semantics from multiscale spatial contexts. Further advancements incorporated auxiliary supervision from Fourier maps [97], LBP texture maps [98], and sparse 3D point clouds [99], enhancing textural and geometric discrimination.

Table 6. Overview of methods for FAS based on binary mask and extended supervision.

Ref.	Main Idea	Supervision	Datasets	Attacks				Advantages	Disadvantages
				2D-P	2D-R	3D-M	OA
[90]	Binary mask and deep pixel-wise supervision	Binary mask label	Replay-Attack	√	√			Binary mask labels are easier to generate, able to identify facial regions and backgrounds, capture subtle features, and are attack-type agnostic.	Complex attacks (such as cutting out eyes, nose, and mouth and simulating real human blinking and mouth movements) may not be accurately detected.
			OULU-NPU	√	√
[91]	Angular margin-based BCE, a learnable attention module, and binary masks supervision	Binary mask label	OULU-NPU	√	√
			Replay-Mobile	√	√
[92]	Pixel-level supervised learning of facial images using local ternary labels (real face, fake, background)	Local ternary label	Replay-Attack	√	√			When there is not enough training data, more refined classification can be achieved.	Local ternary labels need to be accurately annotated.
			CASIA-MFSD	√	√
			OULU-NPU	√	√
			SiW	√	√
[93]	Intrinsicmaterial-based patterns via aggregating multi-level bilateral micro-information	Depth map, reflection and patch map	OULU-NPU	√	√			New perspective: material perception	The limited scope of the datasets cannot fully demonstrate the effectiveness of material perception.
			SiW	√	√
			CASIA-MFSD	√	√
			Replay-Attack	√	√
			MSU-MFSD	√	√
			SiW-M	√	√	√	√
[94]	Auxiliary supervisions	Depth map, reflection map	SiW	√	√			Focusing on the complementary information of the face enriches the feature representation.	Dependent on the quality of auxiliary supervision.
			OuluNPU	√	√
			CASIA-FASD	√	√
			Replay-Attack	√	√
[96]	Plugged-and-played pyramid supervision	Depth map, Predicted Depth Maps	CASIA-MFSD	√	√			Both performance improvement and interpretability enhancement	Needs a large amount of data with fine-grained pixel/patch-level annotated labels
			Replay-Attack	√	√
			MSU-MFSD	√	√
			OULU-NPU	√	√
			SiW-M	√	√	√	√
[97]	Bi-directional feature pyramid network and fourier spectra supervision	Fourier spectra BCE	OULU-NPU	√	√			Introducing Fourier spectra enhances the accuracy of spoof detection.	The model’s generalization ability is limited.
			Replay-Mobile	√	√
[98]	Liveness and content features via disentangled representation learning	Depth map Texture map	CASIA-MFSD	√	√			Separating spoof and real features enhances feature discrimination ability and detection accuracy.	Disentanglement relies on precise data annotation.
			Replay-Attack	√	√
			SiW	√	√
			OULU-NPU	√	√
[99]	Discriminative features via fine-grained 3D point cloud supervision	3D point cloud	CASIA-MFSD	√	√			Capturing facial depth and geometric features and handling various types of spoofing attacks.	Obtaining 3D point cloud data is challenging.
			Replay-Attack	√	√
			SiW	√	√
			OULU-NPU	√	√

summarizes these FAS methods based on binary mask and extended supervision.

D.

FAS Based on Spatiotemporal Information

The information generated by facial movements is also captured within consecutive multiple frames of a video stream. This temporal data embedded within successive frames is conducive to face detection. The flowchart for this method is depicted in Figure 8. It should be noted that the spatiotemporal information derived from facial movements still belongs to passive, one-way detection methods. In this process, the system passively receives video or image streams and then employs models such as CNNs or LSTMs to learn temporal patterns for detecting spoofs.

Lin et al. [100] utilized planar homography to detect the correlated motion patterns in replayed videos that were absent in real faces. By dividing adjacent frames into regions and calculating homography relationships, they identified spoofed faces. Yang et al. [101] proposed a FAS method considering global temporal and local spatial cues combined CNN-LSTM for global spatiotemporal feature fusion and a region attention module for identifying critical local regions, thereby enhancing robustness and interpretability. Wang et al. [102] proposed a method that integrated spatial gradient and temporal depth learning, employing a residual spatial gradient block (RSGB) for extracting single-frame spatial features and a cascade of short-term spatiotemporal blocks followed by ConvGRU for multi-frame depth map generation. Cai et al. [103] presented a DRL-FAS framework. This method used ResNet18 for global spatial features and utilized RNN for local temporal learning, followed by feature fusion for classification. Wang et al. [104] introduced a temporal transformation network (TTN) for learning temporal cues, leveraged temporal difference attention (TDA) for utilize their complementarity on multiple frames and used temporal depth difference loss (TDL) for extracting depth information. Liu et al. [105] fused motion trajectories features, history cues and texture difference features from facial key points, using attention and skip connections to enhance robustness under varying lighting and attack conditions. In summary, spatiotemporal-based FAS methods effectively combine global and local features to distinguish genuine faces from spoofed ones. Nevertheless, their reliance on multi-frame processing increases computational complexity, thereby affecting the real-time performance.

Table 7. Overview of methods for FAS based on spatiotemporal information.

Ref.	Main Idea	Backbone	Datasets	Attacks			Advantages	Disadvantages
				2D-P	2D-R	3D-M
[100]	Utilizing local planar homography for capturing fine-grained facial motion cues.	Resnet	Replay-Attack	√	√		Contributing to the verification accuracy, the MPEM enhances the recall rate of the attack videos.	Local planar homography involving complex calculations
			OULU-NPU	√	√
[101]	Fusing global temporal and local spatial information from the video stream	CNN LSTM	Replay-Attack	√	√		Automatically focuses on important regions, enabling network behavior analysis and improving model interpretability.	Lots of experiments and dataset requirements complicate the research process and make reproduction more difficult.
			CASIA-MFSD	√	√
			OULU-NPU	√	√
			SiW	√	√
[102]	Combining spatial gradient and temporal depth information	CNN	Replay-Attack	√	√		The framework may process spatial gradient and temporal depth simultaneously to improve detection accuracy.	Processing spatial and temporal features is computationally intensive.
			CASIA-MFSD	√	√
			OULU-NPU	√	√
			SiW	√	√
			3DMAD			√
[103]	Deep reinforcement learning(DRL), global spatial features and local temporal learning	ResNet18 RNN	Replay-Attack	√	√		Reinforcement learning improves recognition accuracy.	Weak generalization ability.
			CASIA-MFSD	√	√
			OULU-NPU	√	√
			MSU-MFSD	√	√
			SiW	√	√
			ROSE-YOUTU	√	√	√
[104]	Multi-granularity temporal characteristics learning using ViT	ViT	Replay-Attack	√	√		Multi-granularity temporal features may capture more dynamic information and effectively improve the accuracy of FAS.	Increasing the computational complexity and requiring higher hardware resources.
			CASIA-MFSD	√	√
			OULU-NPU	√	√
			MSU-MFSD	√	√
			SiW	√	√
			CASIA-SURF	√
			CFA	√	√	√
			MLFP			√
[105]	Merging motion trajectories, history cues, and texture differences around the facial local key points with a attention module and skip fusion strategy.	Swin- Transformer	FAAD [105]	√	√	√	The model performs excellently under varying lighting conditions and motion scales.	Performance is influenced by the datasets, and user interaction may be needed.
			MMI [105]	√	√

provides an overview of these methods. As indicated in Table 7, this type of algorithm is capable of detecting common 2D print, 2D replay, and low-quality 3D mask attacks. However, due to the high computational overhead of multi-frame processing, it is not suitable for low-power real-time systems.

E.

FAS Based on Spoof Trace Separation

We refer to accurately isolating the essential spoofing features from a fake face as spoof trace separation. This type of FAS algorithm involves three basic steps, as seen in Figure 9. First, we input the fake face $I^{\prime }$ into the generator G to produce the spoof trace image $\mathrm{G}\left({\mathrm{I}}^{\prime }\right)$. Next, we subtract the spoof trace image $\mathrm{G}\left({\mathrm{I}}^{\prime }\right)$ from the fake face I’m to generate a synthetic real image ${\mathrm{I}}^{\prime }$−$\mathrm{G}{(\mathrm{I}}^{\prime })$. Finally, the final classification result will be computed based on the separated spoof traces.

Jourabloo et al. [106] introduced a three-part CNN structure, DS-Net for separating spoof traces and reconstruct real faces, DQ-Net for estimating depth information, and VQ-Net for differentiating reconstructed real faces from original ones. These networks operated iteratively, improving spoof detection. Similarly, Liu et al. [107] extended on this concept with the spoof trace disentanglement network (STDN), which not only reconstructed real faces but also generated synthetic spoofed faces, offering enhanced interpretability and robustness against diverse attacks. Compared to [106], ref. [107] had stronger interpretability and resistance to diverse attacks. Feng et al. [108] proposed a network with a spoof trace generator and auxiliary classifier, which addressed overfitting and enhanced generalization. Wu et al. [109] utilized a dual spoof disentanglement generation (DSDG) framework with a variational autoencoder (VAE) to disentangle latent features and enhance robustness. Similarly to [98], Wang et al. [110] combined dual-stage learning with reconstruction techniques to separate spoof-related features, improving the recognition of various attacks. Ge et al. [111] addressed domain shift with the DiffFAS framework, which employed generative diffusion models to create high-fidelity spoof faces, thereby enhancing data diversity and generalization. Yu et al. [112] used Fourier frequency disentanglement and data augmentation to improve cross-domain generalization by extracting frequency features and enhancing training samples.

FAS algorithms, which utilize spoof trace separation, enhance accuracy and interpretability by disentangling spoof traces from facial features, increasing robustness against complex attacks. However, these algorithms require high computational resources, complex structures, and cumbersome training processes. Therefore, they are best suited for scenarios that require high security levels, such as financial systems, facial payment, and government applications.

Table 8. Summary of FAS based on spoof trace separation.

Ref.	Main Idea	Backbone	Datasets	Attacks				Advantages	Disadvantages
				2D-P	2D-R	3D-M	OA
[106]	Utilizing noise modeling to obtain a spoof noise, and using it for classification	CNN	Replay-Attack	√	√			Utilizing multi-layer feature decoupling to improve model robustness on specific datasets.	The only defense against printed photos and video replays
			CASIA-MFSD	√	√
			OULU-NPU	√	√
[107]	Using adversarial learning to disentangle the spoof traces	GAN	OULU-NPU	√	√			Resisting diverse attacks and improving the detection accuracy.	Adversarial training needs high computing resources.
			SiW	√	√
			SiW-M	√	√	√	√
[108]	Utilizing U-Net to generate spoof cue maps with anomaly detection, and a auxiliary classifier made spoof cues more discriminative.	ResNet18 U-Net	Replay-Attack	√	√			General spoof cues can be learned to solve the problem of over-fitting and improve generalization.	Models require large amounts of diverse data.
			CASIA-MFSD	√	√
			OULU-NPU	√	√
			SiW	√	√
[109]	Learning a joint distribution of the identity representation and the spoofing pattern representation in the latent space	CDCN	Replay-Attack	√	√			Improves the model’s generalization ability and detection accuracy.	Generating paired live and spoofing images increase the complexity and time cost of training.
			CASIA-MFSD	√	√
			OULU-NPU	√	√
			SiW	√	√
			SiW-M	√	√	√	√
[110]	Effectively separating spoof-related features from irrelevant ones by incorporating reconstruction techniques.	ResNet18 U-Net [76]	Replay-Attack	√	√			Recognizes various spoofing attacks and improves their generalization across different attack types and conditions	Reliance on reconstruction may introduce additional complexity and computational overhead
			CASIA-MFSD	√	√
			MSU-MFSD	√	√
			SiW	√	√
			SiW-M	√	√	√	√
[111]	Using image style, image quality, and diffusion models for domain shift	UNet	Replay-Attack	√	√			To solve the problem of domain shift, and also alleviate the scarcity of labeled data with novel type attacks	Generating high-fidelity images may require significant computational resources.
			CASIA-MFSD	√	√
			OULU-NPU	√	√
			MSU-MFSD	√	√
			WMCA	√	√	√	√
			PADISI	√	√	√	√
[112]	Fourier frequency space disentanglement and data augmentation	DepthNet	Replay-Attack	√	√			The frequency domain analysis can capture subtle spoofing patterns.	Relying on low-level texture features may impact detection performance.
			CASIA-MFSD	√	√
			OULU-NPU	√	√
			MSU-MFSD	√	√

provides a summary of these methods.

FAS based on DL have achieved better performance than the traditional manual feature methods, greatly improving accuracy, especially when applied to a single domain. It more effectively detects 3D mask attacks, significantly advancing the development of FAS technology. Due to the inexplicability and limited generalization ability of DL-based methods, determining how to further improve the interpretability, controllability, and generalization ability of DL-based FAS remains a topic worthy of ongoing research.

3.1.3. FAS Based on Generalization

The current DL-based FAS methods have achieved satisfactory results in the evaluation of various datasets. However, these models are based on the assumption that the source and target datasets are independent and identically distributed (i.i.d.) [24], which often results in the trained model using a large number of domain-specific features for classification, such as background, lighting. The inability to learn features that can truly distinguish between real faces and spoof faces easily leads to the model overfitting on various datasets. In the real world, there are a lot of differences between the samples used for inference testing and the data used for training, such as environments, attack methods. Therefore, algorithms that overfit on the training datasets cannot be generalized to real usage scenarios. In other words, the model faces the problem of a weak generalization ability in out-of-domain scenarios.

This section will systematically summarize and analyze recent research progress on generalization models in the field of DL-based FAS. Starting from the difficulties and challenges encountered by FAS in real-world scenarios, the problems are divided into two categories: encountering unknown domains and encountering unknown attacks. Different methods for each problem are summarized, and then the methods for solving unknown domains are divided into two categories, domain adaptation and domain generalization. The methods for solving unknown attacks are divided into zero-shot/few-shot learning and anomaly detection. In this review, the term unknown domains refer to external variations unrelated to spoofing (e.g., background, lighting, and sensor noise) that nevertheless affect the visual quality of images. Generally speaking, the most significant domain discrepancy is covariate shift [113]. In contrast, unknown attacks typically refer to attack types that do not appear during the training phase and possess novel physical properties, such as material and geometry. The principles, advantages, and disadvantages of representative methods are detailed.

A.

Domain Adaptation

The purpose of domain adaptation (DA) is to train the model on the source domain to perform as well as possible on the target domain by using the given target domain’s knowledge [114]. Given a labeled source domain ${\mathrm{D}}_{\mathrm{s}}=\left\{{\mathrm{x}}_{\mathrm{i}},{\mathrm{y}}_{\mathrm{i}}\right\}$ and a target domain ${\mathrm{D}}_{\mathrm{t}}=\left\{{\mathrm{x}}_{\mathrm{i}},{\mathrm{y}}_{\mathrm{i}}\right\}$, we assume that their feature space and class space are the same, but their joint distribution is different, that is, ${\mathrm{X}}_{\mathrm{s}}={\mathrm{X}}_{\mathrm{t}}, {\mathrm{Y}}_{\mathrm{s}}={\mathrm{Y}}_{\mathrm{t}}, {\mathrm{P}}_{\mathrm{s}}(\mathrm{x},\mathrm{y})\ne {\mathrm{P}}_{\mathrm{t}}(\mathrm{x},\mathrm{y})$. The task of domain adaptation is to use source domain data to learn the prediction function $\mathrm{f}:{\mathrm{x}}_{\mathrm{t}}\to {\mathrm{y}}_{\mathrm{t}}$ so that f has the smallest prediction error in the target domain. In unsupervised domain adaptation, where the labels are not available in the target domain, that is, Y is unknown. The schematic diagram of the model is shown in Figure 10a.

Domain distribution discrepancy: Li et al. [115] proposed minimizing the maximum mean discrepancy (MMD) between the latent features in source and target domains was to learn a more generalized classifier. Li et al. [116] further proposed a novel optimization function for network distillation by combining cross-entropy loss, the MMD, and paired sample similarity embedding to effectively capture spoofing information. However, merely reducing the MMD distance between domains may not sufficiently exploit useful information from the source domain. This is why adversarial transfer learning has recently become a research hotspot.

Adversarial training: Wang et al. [117] proposed a disentangled representation learning net (DR-Net), which enabled the transfer of domain-independent knowledge to distinguish live and spoof faces in unlabeled target domains, with extensive evaluations on public datasets. Jia et al. [118] introduced a unified unsupervised and semi-supervised domain adaptation network (USDAN). It employed a marginal and conditional distribution alignment module for adversarial learning to minimize domain discrepancies and improve generalization. A Conditional Distribution Alignment (CDA) module could be flexibly used for semi-supervised or unsupervised settings. El-Din et al. [119] combined adversarial training with deep clustering to generate pseudo-labels for auxiliary training, addressing domain and device differences. Zhou et al. [120] utilized GANs to stylize target data to match source domain style, aligning features and reducing domain discrepancies to improve generalization and accuracy.

Other methods: Tu et al. [121] proposed a total pairwise confusion loss (TPC) and a fast DA module to improve generalization in live face detection and recognition, mitigating the negative impact of domain changes on prosthetic attack representation. Wang et al. [122] introduced a self-domain adaptation framework that utilizesd meta-learning to learn discriminative features across multiple source domains and adapt to target domain data during inference. Quan et al. [123] developed an adaptive transfer mechanism to reduce domain bias by gradually increasing the contribution of unlabeled target domain data during training. DA typically assume access to source and target data, but this is often unrealistic. To reduce reliance on source data source-free domain adaptation (SFDA) [124] was proposed. Liu et al. [125] introduced a SFDA framework for FAS (SDA-FAS), which utilized source-oriented regularization and contrastive domain alignment to reduce domain discrepancies. They extended on this with SDA-FASv2 [126], incorporating PatchMix data augmentation and supervised contrastive loss to mitigate domain and identity bias.

DA-based Methods can significantly improve the generalization ability of the model, but it is still necessary to employ the data of the target domain and uncover the relationship between the source and the target domains. Unfortunately, this requirement is not always met.

Table 9. Summary of FAS methods based on domain adaptation.

Ref.	Main Idea	Backbone	Datasets	Attacks				Advantages	Disadvantages
				2D-P	2D-R	3D-M	OA
[115]	MMD, Kernel Hilbert Space, and kernel mean matching (KMM)	AlexNet	Replay-Attack	√	√			Reduces the statistical distance between domains and has strong interpretability	MMD distance can not fully reflect the differences among domains.
			CASIA-MFSD	√	√
			MSU-MFSD	√	√
			ROSE-Youtu	√	√	√
[116]	Knowledge distillation and MMD	AlexNet	CASIA-MFSD	√	√
			Replay-Attack	√	√
			MSU-MFSD	√	√
			MSU-USSA	√	√
			ROSE-Youtu	√	√	√
[117]	Adversarial training, disentangled representation learning	ResNet18	Replay-Attack	√	√			Uses domain-independent features for classification	The decoupling strategy is simple and does not combine with prior knowledge.
			CASIA-MFSD	√	√
			MSU-MFSD	√	√
			ROSE-Youtu	√	√	√
			Oulu-NPU	√	√
			CASIA-SUR	√
[118]	Marginal and conditional distribution alignment	ResNet18	CASIA-MFSD Replay-Attack MSU-MFSD CASIA-SURF	√	√			Flexibly switches between unsupervised and semi-supervised.	Conditional distribution is relatively simple.
				√	√
				√	√
				√
[119]	Deep clustering and DA	MobileNetV3	Replay-Attack	√	√			Combined with deep depth, the distinguishing ability of feature representation is improved.	The model requires a large amount of calculation.
			MSU-MFSD	√	√
			Replay-Mobile	√	√
[120]	Directly stylizes the target data in the source-domain style via GAN translation.	GAN CNN	OULU-NPU	√	√			Improving the generalization by feature alignment from source and target domains using GAN	Self-generating adversarial samples takes a lot of time.
			CASIA-MFSD	√	√
			Replay-Attack	√	√
			MSU-MFSD	√	√
[121]	Total pairwise confusion loss and fast domain adaption	CNN VGG-16	MSU-MFSD	√	√			Jointly addresses face recognition and face anti-spoofing in a mutually boosting way.	The multi-task training slightly decreases the interest performance of face anti-spoofing.
			CASIA-MFSD	√	√
			Replay-Attack	√	√
			OULU-NPU	√	√
			SiW	√	√
			WMCA	√	√	√	√
[122]	Meta-learning to achieve self-domain adaptation without a large amount of labeled data	CNN	MSU-MFSD	√	√			Unsupervised meta-learning reduces reliance on annotated data, lowering annotation costs and time.	Depending on differences between source and target domains
			CASIA-MFSD	√	√
			Replay-Attack	√	√
			OULU-NPU	√	√
[123]	Semi-supervised transfer, the unlabeled data with reliable pseudo labels, temporal consistency	CNN ResNet18	MSU-MFSD	√	√			Only a few pieces of labeled training data.	Noise or inconsistency may affect the quality of pseudo labels.
			CASIA-MFSD	√	√
			Replay-Attack	√	√
			OULU-NPU	√	√
[126]	Source-free domain adaptation, source-oriented regularization, and contrastive domain alignment	DeiT-S [127]	MSU-MFSD	√	√			It enables effective domain adaptation without access to source domain data through generalized pretraining.	When the number of real or fake faces is extremely imbalanced, this work might not be robust enough.
			CASIA-MFSD	√	√
			Replay-Attack	√	√
			OULU-NPU	√	√
			Celebi-Spoof	√	√	√
			3DMAD			√
			HKBU-M V2			√
			CASIA-SURF 3D			√

compares and summarizes DA-based FAS in terms of the main idea, backbone, datasets, attack types, advantages, and disadvantages.

B.

Domain generalization

Domain generalization (DG) [24,128] aims to train a model on source domains that can generalize to unseen target domains, without access to target domain data during training. Unlike DA, where target domain data is available, DG focuses on learning a model that minimizes prediction error in the unknown target domain. DG is more challenging because target domain data is unavailable and the model must be robust against out-of-distribution scenarios. Most DG research focuses on domain-invariant representation learning, using techniques like feature alignment, style alignment, gradient alignment, and meta-learning to identify representations that are effective across different domains. The schematic diagram of the model is illustrated in Figure 10b.

Feature alignment: Shao et al. [129] developed generalized feature extractors for multiple source domains through adversarial training, supplemented by auxiliary deep supervision to enhance generalization. They applied dual-force triple mining constraints to achieve compact within-class and dispersed between-class results. Jia et al. [130] argued that narrowing the distribution of attacks across domains might result in the neglect of domain-specific information. Consequently, they used adversarial learning and inequality three-tuple loss to treat attacks and live faces as separate categories. Wang et al. [131] utilized GANs to transfer images from RGB to the depth domain, addressing challenges like lighting and device variations. Liu et al. [132] introduced adaptive normalized representation learning (ANRL) to select domain-agnostic features adaptively, improving generalization with dual calibrated constraints (DCC) to aggregate the multiple source samples of the same class. Chen et al. [133] focused on camera-invariant spoofing features through high-frequency feature decomposition and enhanced discriminative capability by combining reconstructed images with high and low-frequency information. Wang et al. [134] applied consistency regularization to improve generalization across different environments, thereby reducing overfitting. Liao et al. [135] introduced a domain-invariant ViT (DiVT) for FAS that used a concentration loss to learn domain-invariant representations and a separation loss to distinguish attack types across domains. However, ViT tends to capture noisy features from background objects and other irrelevant details. Liu et al. [136] developed CFPL-FAS, which employed class-free prompt learning (CFPL) to learn different semantic prompts based on content and style features separately, with the aim of enhancing the model’s performance on unseen domains. Fang et al. [137] proposed VL-FAS, using fine-grained natural language descriptions and a sample-level visual text optimization (SLVT) module for improving domain generalization, though it did not fully leverage language supervision. Zhang et al. [138] introduced TF-FAS, which combined material and depth features with a semantic guidance mechanism for better cross-domain generalization.

Style alignment: Wang et al. [139] introduced the shuffled style assembly network (SSAN) to separate content and style in feature representations, creating a stylized feature space. They also built a large-scale FAS benchmark to further evaluate algorithm performance. Zhou et al. [140] proposed an instance-aware domain generalization framework that reduced sensitivity to instance-specific styles, aligning features without domain labels. Their method also included a dynamic kernel generator and categorical style assembly to improve style insensitivity. Zhou et al. [141] presented the TTDG framework, which enhanced model generalization by using test data. The test-time style projection (TTSP) module mapped unseen data styles into the training domain, and the diverse style shifts simulation (DSSS) module simulated various style changes, all without requiring the model to update at test time. This method worked with both CNN and ViT backbones.

Gradient alignment: Sun et al. [142] proposed SA-FAS, which encourages domain separability while aligning the live-to-spoof transition across all domains. This method learned domain-variant features but used a domain-invariant classifier, proving its effectiveness. Le and Woo [143] introduced GAC-FAS, using gradient alignment to encourage the model to converge to an optimal flat minimum for improving the model generalization without additional learning modules. GAC-FAS aligned gradient updates with empirical risk minimization (ERM) at key points in each domain.

In addition, Cai et al. [144] developed a hierarchical fusion module that combined RGB images and meta-pattern (MP) features across multiple levels to enhance performance and generalization for unknown domains. Zheng et al. [145] proposed FAMIM, a framework using frequency domain features and self-supervised learning to boost cross-domain generalization in FAS. Liu et al. [146] introduced UDGFAS, an unsupervised domain generalization framework that utilized identity-agnostic representations and nearest neighbor search to learn generalized domain-invariant features.

Overall, these studies improved the generalization performance of FAS by employing innovative techniques such as GANs, style-guided DA, and meta-learning.

Table 10. Summary of FAS methods based on domain generalization.

Ref.	Main Idea	Backbone	Advantages	Disadvantages
[129]	Using adversarial training, deep supervision and dual-force triple-mining constraints	DepthNet	Extract domain-independent discriminative features	Difficulty in fitting multiple discriminators
[130]	Leveraging single-side adversarial learning and asymmetric triplet loss for enhancing the generalization ability	ResNet18	Asymmetric processing improves the generalization performance	Asymmetric design needs to be improved
[131]	Transferring an input face image from the RGB domain to the depth domain	DenseNet	Alleviates the difficulties caused by appearance variations in lighting, image quality, and image capturing device.	Ignoring the temporal information may not work well for 3D spoofing attaches such as silicone masks.
[132]	To utilize AFNM to adaptively fuse normalized features from BN and IN and use DCC to aggregate the multiple source samples of the same class	CNN	Obtains domain-agnostic and discriminative representations for FAS.	To evaluate the method with extremely limited source domains.
[133]	Camera-invariant features and reconstructing images by low-frequency and high-frequency.	CNN	The camera-invariant feature learning enables the model to maintain stable performance under different camera devices.	Training and deployment costs are high.
[134]	Consistency regularization	CDCN	Consistency regularization ensures the consistency of feature representations.	It heavily relies on consistency under specific conditions, such as viewpoints and lighting.
[135]	A domain-invariant ViT, a concentration loss, and a separation loss	ViT	ViT reduces differences between domains and improves detection accuracy and robustness.	ViT has large data requirements and high computational complexity in visible light.
[136]	Using CFPL to learn semantic prompts based on content and style features	ViT	Learns more generalizable feature representations without relying on class labels.	It relies on a large amount of data.
[137]	Vision-language model (VLM) and a sample-level visual text optimization model	ViT-B	The method improves the precision and discriminative capability of feature extraction.	VLM may require substantial computational resources
[138]	Combining twofold element fine-grained semantic guidance: material and depth features	ViT-B/16	Strong generalization capability.	The dual feature and semantic mechanisms increase the model’s complexity.
[139]	Domain generalization through shuffled style assembly and recombination	DepthNet ResNet-18	Through domain style alignment, the negative impact of style differences across various domains is effectively mitigated. The model can maintain high robustness and generalization when facing different environmental conditions, such as camera devices and lighting variations.	Due to environmental changes such as variations in lighting, camera quality, and angles, style alignment may be inaccurate. This can cause the model to struggle in learning domain-invariant features effectively, impacting its generalization capability.
[140]	Learns the generalizable feature by weakening the features’ sensitivity to instance-specific styles	CNN
[141]	Test-time style projection (TTSL) and diverse style shifts simulation (DSSS)	ResNet18 ViT
[142]	Encouraging domain separability while aligning the live-to-spoof transition across all domains.	ResNet-18	This is achieved by aligning gradient updates or loss functions to enhance the model’s robustness across different domains.	The effectiveness is limited when facing highly diverse data domains, and significant tuning may be required to achieve optimal performance.
[143]	By aligning gradient updates for the model converging to an optimal flat minimum	ResNet-18
[144]	Designs a hierarchical fusion network to extract meta-features using meta-learning.	ResNet50	Integrating RGB images and MP information has advanced the research on hybrid methods.	The meta-model extractor needs optimization.
[145]	Introduces frequency-domain augmentation and a self-supervised learning	ViT-Tiny	--	Insufficient experimental validation.
[146]	Identity-agnostic representations, in-domain nearest neighbors	ResNet50	Fully unsupervised	Limited sample size may affect the model’s adaptability to complex scenarios.

compares and summarizes FAS based on domain generalization, outlining the main idea, backbone, advantages, and disadvantages. At present, the four widely used datasets are OULU-NPU (O), CASIA-MFSD (C), Idiap Replay Attack (I), and MSU-MFSD (M). Generally, each dataset is regarded as one domain, and the leave-one-out test protocol is applied to evaluate their cross-domain generalization. Specifically, O&C&I→M refers to the protocol that trains on OUlU-NPU, CASIA-MFSD, and Idiap Replay Attack, and tests on MSU-MFSD. O&M&I→C,O&C&M→I, and I&C&M→O are defined in a similar fashion.

Table 11. Comparison with the state-of-the-art FAS methods on four testing domains:’↓’ and ‘↑’ indicate that superior performance is associated with a lower HTER and a higher AUC.

Ref.	O&C&I→M		O&M&I→C		O&C&M→I		I&C&M→O
	HTER↓	AUC↑	HTER↓	AUC↑	HTER↓	AUC↑	HTER↓	AUC↑
[129]	27.98	80.02	22.19	84.99	17.69	88.06	24.50	84.51
SSDG-M [130]	25.17	81.83	18.21	94.61	16.67	90.47	23.11	85.45
SSDG-R [132]	15.61	91.54	11.71	96.59	7.38	97.17	10.44	95.94
[131]	18.26	89.40	21.43	88.81	19.40	86.87	22.03	87.71
[132]	15.67	91.90	16.03	91.04	10.83	96.75	17.85	89.26
[134]	14.4	93.3	13.5	96.0	10.0	95.5	17.8	89.8
[135]	13.06	94.04	3.71	99.29	2.86	99.14	8.67	96.92
[136]	2.50	99.42	5.43	98.41	1.43	99.28	2.56	99.10
[137]	7.92	97.05	5.00	98.90	3.13	99.31	4.00	98.64
[138]	3.44	99.42	0.81	99.92	2.24	99.67	2.26	99.48
[139]	13.72	93.63	8.88	96.79	6.67	98.75	10.00	96.67
[140]	8.86	97.14	10.62	94.50	5.41	98.19	8.70	96.40
[141]	10.00	96.15	6.50	97.78	7.91	96.83	8.14	96.49
[142]	5.95	96.55	8.78	95.37	6.58	97.54	10.00	96.23
[143]	8.60	97.16	4.29	98.87	5.00	97.56	8.20	95.16
[144]	5.24	97.28	9.11	96.09	15.35	90.67	12.40	94.26
[145]	5.71	97.71	9.89	95.60	8.42	96.05	12.66	94.40
[146]	7.14	97.31	11.44	95.59	6.28	98.61	12.18	94.36

compares state-of-the-art DG methods on four testing domains. In Table 11, We adopt the Half Total Error Rate (HTER), Area Under Curve (AUC) as evaluation matrix.

C.

Generalization Methods on Unknown attacks

Most previous DL-based methods treat FAS as a closed-set problem, concentrating on predefined spoofing attacks. However, it is unrealistic to cover all potential attacks within the dataset, leading to models that overfit on known attacks and remain vulnerable to unknown ones. Recently, researchers have shifted their focus towards making FAS models more robust to unknown attacks, with zero-shot/few-shot learning and anomaly detection being two popular approaches.

Methods Based on Zero-shot/Few-shot:

Zero-shot/few-shot learning, in theory, originate from DA, and methodologically fall under representation learning or meta-learning. Many existing approaches use spoofing samples of the same type during both training and testing, such as print attacks or replay attacks. However, these methods may perform poorly when encountering novel attacks that were not seen during training. Therefore, it is necessary to develop network models that can leverage previously learned knowledge to handle unknown attacks. To address this challenge, zero-shot/few-shot learning have emerged as important solutions. The key difference between the two lies in data availability. Zero-shot learning focuses solely on learning from existing spoofing types without access to any samples of novel attacks, whereas few-shot learning involves a small number of samples from the novel attack types.

Liu Y et al. [28] introduced the FAS database, which included 13 types of spoof attacks, and studied the zero-shot FAS problem. They proposed an unsupervised deep tree network (DTN) to classify unknown attacks. Pérez-Cabo et al. [147] proposed a meta-learning framework following the continual few-shot learning paradigm to address the problem of catastrophic forgetting, while enabling continuous model learning when faced with sequentially arriving novel attack data. Qin et al. [148] defined FAS as a zero-shot/few-shot problem and introduced an adaptive method that detected unknown attacks by learning from real and fake faces and new attack samples. Yang et al. [149] proposed a few-shot domain expansion strategy that aligned the source and target domains in the semantic space in an unsupervised manner, enabling the model to perform well in their joint expansion domain. George et al. [150] demonstrated that fine-tuned ViT models performed well on unknown attacks and cross-dataset evaluation. Nguyen et al. [151] presented a self-attention adversarial learning framework (ADGN) to create a generic yet distinct latent space (GDL-space) for improving generalization against rare, and unseen attacks. Huang et al. [152] introduced ensemble adapters and feature-wise transformation layers in ViT for robust performance with few samples.

Table 12. Overview of generalization methods based on zero-shot/few-shot.

Ref.	Main Idea	Backbone	Datasets	Attacks				Advantages	Disadvantages
				2D-P	2D-R	3D-M	OA
[28]	Deep tree learning, zero-Shot learning, and multiple classification	CNN	Replay-Attack	√	√			Zero-shot/ few-shot learning can use existing spoofing types without access to any samples of novel attacks or a small number of samples. Through technologies such as meta-learning or transfer learning, these methods can learn and infer, allowing for better adaptation to new or unknown attacks.	When attack samples are scarce or of poor quality, they may cause performance fluctuations. A small number of samples may limit feature expression capabilities. Zero-shot/few-shot learning (such as meta-learning or GAN) may increase the demand for computational resource and time requirements.
			CASIA-MFSD	√	√
			MSU-MFSD	√	√
			SiW-M	√	√	√	√
[147]	Leverage meta-learning models to adaptively update in the face of new attacks.	ResNet	CASIA-MFSD	√	√
			Replay-Attack	√	√
			3DMAD			√
			MSU-MFSD	√	√
			Replay-Mobile	√	√
			HKBU-M V2			√
			Oulu-NPU	√	√
			Rose-Youtu	√	√	√
			SiW	√	√
			CSMAD			√
[148]	By training a meta-model, it can quickly adapt to new tasks and new environments and maintain good performance even with zero or few samples.	PR-Net	CASIA-MFSD	√	√
			MSU-MFSD	√	√
			MSU-USSA	√	√
			SiW	√	√
			3DMAD			√
			Oulu-NPU	√	√
			Replay-Attack	√	√
			CASIA-SURF	√
[149]	Models can quickly scale and adapt to small amounts of new domain data	ResNet-18	Celeba-Spoof	√	√	√
			MSU-MFSD	√	√
			Oulu-NPU	√	√
			SiW	√	√
[150]	Using unsupervised pretraining and finetuning with a small amount of annotated data	ViT	WMCA	√	√	√	√
			SiW-M	√	√	√	√
[151]	Self-attention mechanism	Resnet-50	3DMAD			√
			CSMAD			√
			SiW-M	√	√	√	√
[152]	Adaptive Transformer performs feature extraction and attention mechanism optimization through hierarchical structures.	ViT	CASIA-MFSD	√	√
			Replay attack	√	√
			MSU-MFSD	√	√
			Oulu-NPU	√	√
			CASIA-SURF	√
			CASIA-CeFA	√	√	√
			WMCA	√	√	√	√

summarizes the FAS methods based on zero-shot/few-shot learning.

Methods based on anomaly detection:

Anomaly detection is designed to to identify abnormal samples that deviate from normality during testing. In face anti-spoofing, live faces are considered normal, while attacks are abnormal. Unlike the traditional two-class classification, anomaly detection usually employs a one-class classification, using only real faces for training, as attack types are often unknown in practical scenarios.

Pérez-Cabo et al. [153] introduced a deep metric learning model with triplet loss and a few-shot a posteriori probability estimation for anomaly detection, improving feature representations. Fatemifar et al. [154] extended anomaly detection by incorporating client-specific thresholds and utilizing a one-class classifier based on Gaussian distribution based statistical hypothesis to enhance performance. Baweja et al. [155] proposed an end-to-end anomaly detection model that introduced a pseudo-negative class using a Gaussian distribution. However, it faced issues with poor robustness. Similarly, George et al. [156] used a one-class classifier with multi-channel CNNs for anomaly detection, relying on normal face data. Fatemifar et al. [157] further developed a client-specific anomaly detection method, adapting classifiers to each user’s data for better accuracy and generalization. Huang et al. [158] proposed OC-SCMNet, a one-class method that uses spoof cue maps (SCMs) to learn spoof features from live faces, aiming for zero responses for real faces while dynamically preserving spoof features in a memory bank.Besides, Jiang et al. [159] employed evidence theory to handle the confidence of model outputs, quantifying uncertainty and enabling the model to be more robust against unknown attacks. They also established a semantic consistency loss to ensure that feature representations remain consistent across different scenarios.

Table 13. Overview of FAS based on anomaly detection.

Ref.	Main idea	Backbone	Datasets	Attacks				Advantages	Disadvantages
				2D-P	2D-R	3D-M	OA
[153]	Anomaly detection, metric learning, and introducing a few-shot a posteriori probability estimation	ResNet-50	CASIA-MFSD	√	√			By learning normal facial features and detecting significant abnormal samples, the anomaly detection method maintains good performance in different datasets and scenarios. It can identify attack types that do not appear in the training set, and have strong adaptability and generalization capabilities.	It relies on high-quality normal samples and may be sensitive to environmental changes and the diversity of normal faces, resulting in increased false positive rates.
			Replay-Attack	√	√
			MSU-MFSD	√	√
			GRAD-GPAD [160]	√	√	√
			UVAD		√
[154]	A one-class classifier with Gaussian distribution based statistical hypothesis and client-specific extension of anomaly detection	VGG16	Replay-Attack	√	√
			Replay-Mobile	√	√
			Rose-Youtu	√	√	√
[155]	Pseudo-negative class using Gaussian distribution and pairwise confusion loss	VGGFace	Replay-Attack	√	√
			Rose-Youtu	√	√	√
			Oulu-NPU	√	√
			SiW	√	√
[156]	One-class representation and a Gaussian Mixture Model	MCCNN	WMCA	√	√	√	√
			SiW-M	√	√	√	√
			MLFP			√
[157]	Using client-specific information in a one-class anomaly detection and representations derived from CNNs	VGG16	Replay-Mobile	√	√
			Replay-Attack	√	√
			Rose-Youtu	√	√	√
[158]	One-class representation using SCMs for zero responses for real faces	CNN	CASIA-MFSD	√	√			By not relying on spoof attacks, estimating SCMs and guiding feature learning enhance the detection capability for unseen attacks.	The design of SCMs guidance and the memory bank increases the complexity of the model.
			Replay-Attack	√	√
			MSU-MFSD	√	√
			Oulu-NPU	√	√
			SiW	√	√
			3DMAD			√
			HKBU-MARs			√
			CASIA-SURF	√
[159]	A regularized evidential DL strategy and an entropy optimization-based semantic consistency learning strategy	ResNet-18	CASIA-MFSD	√	√			It could generalize well to cross-scenario target domains with both known and unknown PAs with different types and quantities.	--
			Replay-Attack	√	√
			MSU-MFSD	√	√
			Oulu-NPU	√	√
			Rose-Youtu	√	√	√
			HQ-WMCA	√	√	√	√

compares and summarizes generalization methods based on anomaly detection, detailing the main idea, backbone, datasets, attack types, advantages, and disadvantages.

3.2. FAS with Advanced Sensors

3.2.1. FAS Based on Multi-Modality

Multi-modality refers to information derived from different sensors and presented in different forms, including RGB images, depth images, and infrared images, with each being a modality. For the same object, multi-modality can provide heterogeneous information that is semantically related and complementary in content, allowing for features that would remain undetected through a single modality. Therefore, combining multiple modalities can effectively counteract forgery attacks in a single modality and enhance the detection capability of FAS.

Currently, FAS datasets are composed of RGB datasets, though Zhang et al. [161] released the first multi-modal large-scale dataset, CASIA-SURF, which included RGB images, depth images, and infrared images. In the Chalearn LAP multi-modal FAS attack detection challenge at CVPR2019 [162], Parkin et al. [163] used an existing face recognition network to detect multi-modal spoofing attacks, achieving first place on the CASIA-SURF dataset, while the method had a heavy parameter load. Shen et al. [164] extracted discriminative features using patch-based feature learning and applied multi-stream fusion with a modal feature erasing (MFE) layer to enhance performance, achieving second place with a score of 99.8052% on the above dataset. In addition to various modalities, racial differences will affect the ability to generalize FAS. To address this, CeFA [165] expanded CASIA-SURF with racial images from East Asia, Central Asia, and Africa, becoming the largest cross-racial multi-modal dataset currently. Yu et al. [166] extracted high-frequency features from face images in the CeFA dataset using CDCN and integrated information from different modalities, enhancing the model’s capability in cross-racial scenarios. To address the challenge of high-quality masks in multi-modal methods, Yang et al. [167] proposed PipeNet, which selected the most suitable branch network structure for different modality images provided by CeFA, maximizing the utilization of multi-modal information.

Next, researchers have explored multi-modal algorithms for FAS using datasets like CASIA-SURF and CeFA. A. Liu et al. [168] proposed the cross-modal auxiliary (CMA) framework, which combined a modality translation network (MT-Net) and a modality assistance network (MA-Net), eliminating the need for additional modalities during testing. W. Liu et al. [169] introduced a two-stage cascade framework that combined feature-level and decision-level fusion for improved accuracy and robustness. A. Liu et al. developed MA-ViT [170] and FM-ViT [171], integrating ViT with multi-modality to enhance generalization and adaptability, despite the fact that they had high computational costs. He et al. [172] proposed a lightweight multi-modal FAS using a patch-level feature extraction network, which reduced parameters while maintaining accuracy. Lin et al. [173] introduced a multi-modal domain generalization framework, which utilized an uncertainty-guided cross-adapter (U-Adapter) and the rebalanced modality gradient modulation (ReGrad) to address modality unreliability and imbalance. Yu et al. [174] combined local descriptors with a self-supervised pretraining model for multi-modal FAS. Antil et al. [175] used ViT with overlapping patches to fuse multi-modal features effectively.

Table 14. Overview of FAS based on multi-modality.

Ref.	Main Idea	Backbone	Datasets	Attacks				Advantages	Disadvantages
				2D-P	2D-R	3D-M	OA
[163]	Leveraging complementary information across modalities.	ResNet18 ResNet34 ResNet50	CASIA-SURF	√				High detection accuracy	Having a heavy parameter load
[164]	Bag-of-local-features and randomly erasing a certain modality	ResNext	CASIA-SURF	√				MFE enhances generalization	High computa- tional overhead and training time.
[166]	High-frequency features and multi-modal features	CDCN	CFA	√	√	√		Improving the model’s ability under different racial conditions	---
[167]	Using selective modality pipeline fusion network	CNN SENet154	CFA	√	√	√		Selective fusion reduces the impact of redundant information	The modality selection strategy may lead to instability in performance.
[168]	Adversarial cross-modality alignment	CycleGAN	CASIA-SURF	√				Adversarial cross-modality alignment enhances the model’s generalization ability	The adversarial training process is complex and computationally expensive.
			CFA	√	√	√
			WMCA	√	√	√	√
			SiW	√	√
			OULU-NPU	√	√
			CASIA-MFSD	√	√
			Replay-Attack	√	√
			MSU-MFSD	√	√
[169]	Nonlinearly fuses low-level and high-level features from different modalities.	ResNet50	MIPD [169]	√	√	√		Good performance against multi-material 3D mask spoofing	2D spoofing detection may be subpar in complex scenarios.
			CASIA-SURF	√
[170]	Paying attention to the modal independence	ViT	CASIA-SURF	√				Improving generalization for different modal data	Higher computational complexity
			MSU-MFSD	√	√
[171]	Flexibly adjusting the structure for different modalities	ViT	CASIA-SURF	√				Improving adaptability to different modalities	Same as above
			MSU-MFSD	√	√
[172]	Patch-level images from multi-modal data and uses a lightweight network	LMFFNet [172]	CASIA-SURF	√				Reducing parameters while maintaining accuracy	Weaker robustness to illumination changes and complex backgrounds
			Replay-Attack	√	√
			CASIA-MASD	√	√
[173]	U-Adapter and ReGrad strategy to address modality unreliability and imbalance	ViT	CFA	√	√	√		Enhancing the generalization by addressing the modality unreliabi- lity and imbalance	Needs to further adopt more efficient uncertainty estimation techniques.
			PADISI-Face	√	√	√	√
			CASIA-SURF	√
			WMCA	√	√	√	√
[174]	A modality- asymmetric masked autoencoder, self- supervised without costly annotated labels	ViT	WMCA	√	√	√	√	Being robust under various missing-modality cases	Weaker generalization and discriminative capacity of this method
			CASIA-SURF	√
			CFA	√	√	√
[175]	Uses overlapping patches, parameter sharing in the ViT and a hybrid feature block	ViT	WMCA	√	√	√	√	Computationally efficient	Need further enhancement of generalization.
			CASIA-SURF	√

summarizes multi-modal FAS methods, including main ideas, backbones, datasets, attack types, advantages, and disadvantages.

3.2.2. FAS Based on Smartphones

Compared with general-purpose FAS methods that focus on accuracy and generalization issues [15], FAS on smartphones places more emphasis on practical issues in real-world applications, such as security, usability, and practicality. Therefore, FAS on smartphones can utilize various sensors (e.g., camera, microphone, speaker, accelerometer, etc.) to detect spoof faces. Meanwhile, FAS on smartphones often requires participants to evaluate their systems in the real-world using prototypes they implement on smartphones.

It is also important to note that in current FAS research, most detection methods remain one-way, where the system passively receives input images or video streams and then performs liveness or spoof detection. In contrast, FAS methods on smartphones are often interactive and two-way in nature. That is, the system actively issues instructions or stimuli, such as playing sounds, emitting light, or gaze responses, and the user is required to produce a genuine response. This interaction enables more reliable spoof detection.

FAS based on acoustic: The Echoprint method [176] was the first to combine RGB visual and acoustic modalities for user authentication, emitting sound signals to capture 3D facial contours, yet it overlooked face anti-spoofing. Chen et al. [177] introduced Echoface, which utilized acoustic signals to differentiate real faces from flat forgeries with over 96% accuracy across varying conditions. EchoFAS [178] enhanced performance through the use of short-time Fourier transform (STFT), CNN, fast Fourier transform (FFT), and ViT for feature extraction. Zhang et al. [179] proposed SonarGuard, which combined ultrasonic micro-Doppler features and lip motion trajectories for robust FLD on mobile devices. Xu et al. [180] presented AFace, leveraging sound wave reflectivity for adaptable and easy-to-implement face anti-spoofing.

FAS based on optical: Studies like [181,182] used flash for FLD based on reflective properties, yet they faced a poor user experience. Farrukh et al. [183] proposed FaceRevelio, which utilized photometric stereo to recover 3D facial depth features for real/fake classification. Zhang et al. [184] introduced Aurora Guard (AG), leveraging light reflection to extract depth and material features and adding a light CAPTCHA (i.e., the random light parameters sequence) for enhancing security. Kim et al. [185] developed a LiDAR-based FAS algorithm that resisted light changes and replayed attacks by providing 3D depth data and using random light patterns as a security mechanism.

FAS based on sensors: Xu et al. [186] leveraged the penetrability, material sensitivity, and fine-grained sensing capability of millimeter wave (mmWave) to propose a FAS algorithm named mmFace. By capturing facial biometric features and structural characteristics from mmWave signals reflected off the face, mask attacks can be detected. Later, Xu et al. [187] extracted both the 3D geometry and inner biomaterial features of faces using a cost radio frequency identification(RFID) tag array, which could effectively identify 2D print/replay and 3D mask attacks with high accuracy.

On top of this, Zheng et al. [188] designed GazeGuard, which captured a user’s gaze responses and corresponding periocular features using random dots to ensure accurate face authentication. Yu et al. [189] introduced Auto-FAS, based on neural architecture search (NAS), to find lightweight networks suitable for mobile-level FAS and real-time applications. Kong et al. [190] proposed M3FAS, a multi-modal mobile system that integrated visual and auditory modalities with a dual-branch neural network and multi-head training strategy, improving accuracy, generalization, and robustness.

Table 15. Overview of FAS on smartphones: 2D represents print and replay attacks, while 3D represents 3D mask attacks and Adv represents physical adversarial attacks.

Methods	Ref.	Clues	Advantages	Disadvantages	Attacks	Special Hardware
FAS based on acoustic	[176]	3D geometric structure	Acoustic-based FAS can effectively detect spoofing attacks using readily available smartphone sensors without additional hardware.	The effectiveness of acoustic signals may be affected by environmental noise or interference.	2D, adv	No
	[177]	3D geometric structure			2D, adv	No
	[178]	RGB-based models and 3D geometric structure			2D, 3D	No
	[179]	3D geometric structure			2D, 3D	No
	[180]	3D geometric structure			2D, 3D	No
FAS based on optical	[181]	Motion, 3D geometric structure	This can be performed using existing cameras and flashes, making it easy to implement	Strong dependence on lighting and poor user experience	2D, 3D, adv	No
	[182]	3D geometric structure			2D, 3D	No
	[183]	3D geometric structure	Simple and fast	Not detecting 3D attacks	2D	No
	[184]	The depth map and the material map	Simple, fast, yet effective	Needing an extra light source to generate the reflection frames	2D, 3D	No
	[185]	3D geometric structure	LiDAR is insensitive to variations in lighting.	Limited by the availability of LiDAR devices.	2D, 3D	LiDAR
FAS based on sensors	[186]	Material differences	Offering strong resistance to mask spoofing attacks	Relying on the widespread adoption and cost of millimeter-wave radar	2D, 3D, adv	mmWave radar
	[187]	Material differences	RFID device support, lower hardware requirements	Compatibility may be limited	2D, 3D, adv	RFID
Others	[188]	Motion, biometric	Eye movement patterns are highly individual-specific and difficult to forge	Need for high-precision eye-tracking equipment	2D, 3D, adv	No
	[189]	Neural architecture search (NAS) and pixel-wise binary supervision	Lightweight and fast	Not detecting 3D attacks	2D	No
	[190]	Combining visual and auditory modalities	Enhancing generalization capability	The computation is relatively complex.	2D	No

compares FAS on smartphones in terms of spoofing clues, advantages, disadvantages, attack types, and hardware.

4. Datasets for Face Anti-Spoofing

The total amount of datasets, the richness of data types, the data collection equipment, the collection environment, and other factors will all affect the performance of FAS. Most of the reviewed datasets are publicly available, while a small number are not. When introducing different datasets, we mainly focus on the characteristics of the datasets, the year, the number of living faces or spoof faces, including the number of samples, types of attacks, and the influencing factors such as lighting, posture, and prosthetic face material considered during recording.

Table 16. Overview of FAS datasets in the RGB modality: ‘#Sub.’ is short for subjects, typically referring to participants in data collection, individuals, or forged facial entities. The fifth column’s RGB refers to RGB images. In the seventh column labeled ‘#Live/Spoof’, ‘I’ and ‘V’ denote ‘images’ and ‘videos’, respectively.

No.	Datasets	Year	Attack Types	Model	#Sub	#Live/ Spoof	Setup
1	CASIA- MFSD [25]	2012	Print (flat, wrapped, cut), Replay (tablet)	RGB	50	150/ 450 (V)	Seven scenarios and three levels of image quality
2	Replay- Attack [191]	2012	Print (flat), Replay (tablet, phone)	RGB	50	200/ 1000 (V)	Lighting and holding
3	Kose and Dugelay [192]	2013	Print (flat), Replay (tablet, phone)	RGB	35	200/ 198 (I)	--
4	MSU-MFSD [68]	2015	Replay (monitor)	RGB	404	70/ 210(V)	Indoor scenario; two types of cameras
5	UVAD [193]	2015	Replay (monitor)	RGB	404	808/ 16,268 (V)	Different lighting, background and places in two sections
6	REPLAY- Mobile [194]	2016	Print (flat), Replay (monitor)	RGB	--	390/ 640 (V)	Five lighting conditions
7	MSU-USSA [49]	2016	Print (flat), Replay (laptop, tablet, phone)	RGB	1140	1140/ 9120 (I)	Uncontrolled; two types of cameras
8	HKBU-MV2 [40]	2016	Mask (hard resin) from Thatsmyface and REAL-f	RGB	12	504/ 504 (V)	Seven cameras from stationary and mobile devices and six lighting settings
9	OULU-NPU [195]	2017	Print (flat), Replay (phone)	RGB	55	720/ 2880 (V)	Lighting & background in 3 section
10	SiW [196]	2018	Print (flat, wrapped), Replay (phone, tablet, monitor	RGB	165	1320/ 3300 (V)	Four sessions with variations of distance, pose, illumination and expression
11	Rose- Youtu [115]	2018	Print (flat), Replay (monitor, laptop), Mask (paper, crop-paper)	RGB	20	500/2850 (V)	Five front-facing phone camera; Five different illumination conditions
12	CelebA- Spoof [77]	2020	Print (flat, wrapped), Replay (monitor, tablet, phone), Mask (paper).	RGB	10,177	6384/ 469,153 (I)	Four illumination conditions; indoor & outdoor; rich annotations
13	CASIA- SURF 3DMask [87]	2020	Mask (mannequin with 3D print).	RGB	48	288/ 864(V)	High-quality identity-preserved; Three decorations and six environments
14	RECOD- MPAD [84]	2020	Print (flat), Replay (monitor).	RGB	45	450/ 1800 (V)	Outdoor environment and low-light & dynamic sessions
15	HiFiMask [27]	2021	Mask (transparent, plaster, resin).	RGB	75	13650/ 40,950 (V)	three mask decorations; seven recording devices; six lighting conditions (periodic/random); six scenes
16	SiW-M [28]	2022	Print (flat), Replay, Mask (hard resin, plastic, silicone, paper, Mannequin), Makeup (cosmetics, impersonation, Obfuscation), Partial (glasses, cut paper).	RGB	493	660/ 968 (V)	Indoor environment with pose, lighting and expression variations
17	SuHiFiMask [197]	2023	2D image, Video replay, 3D Mask with materials Resin, Plaster, Silicone, Paper	RGB	101	10195/ 10,195 (V)	Long distance using surveillance cameras, recording in three scenes, three lighting types, and four types of weather
18	WFAS [198]	2023	Print (newspaper, poster, photo, album, picture book, scan photo, packging, cloth), Display (phone, tablet, TV, computer), Mask, 3D Model (garage kit, doll, adult doll, waxwork).	RGB	469,920	529,571/ 853,729 (I)	Internet, unconstrained settings.
19	SynthASpoof [199]	2023	1 Print, 3 Replay.	RGB	25,000	25,000/ 78,800 (I&V)	--

provides an overview and comparative analysis of FAS datasets in RGB modality.

Table 17. Overview of multimodal datasets: ‘#Sub.’ is short for subjects, typically referring to participants in data collection, individuals, or forged facial entities. The fifth column’s RGB, Depth, NIR, Thermal, and SSI refer to RGB images, depth images, near-infrared images and Thermal images, and Snapshot Spectral Imaging (SSI), respectively. In the seventh column ‘#Live/Spoof’, ‘I’, ‘V’, and ‘A’ denotes ‘images’, ‘videos’, and ‘acoustic signal’, respectively.

No.	Datasets	Year	Attack Types	Modal	#Sub	#Live/ Spoof	Setup
1	3DMAD [200]	2014	Mask (paper, hard resin)	RGB Depth	17	170/ 85 (V)	Three sessions (2 weeks interval)
2	GUC-LiFFAD [201]	2015	Print (Inkjet paper, Laserjet paper), Replay (tablet)	Light field	80	1798/ 3028 (V)	Distance of 1.5∼2 m in constrained conditions
3	3DFS-DB [202]	2016	Mask (plastic)	RGB Depth	--	260/260 (V)	Head movement with rich angles
4	ERPA [203]	2017	Print (flat), Replay (monitor), Mask (resin, silicone)	RGB Depth, NIR, Thermal	5	Total 86 (V)	Subject positioned close (0.3∼0.5 m) to the two types of cameras
5	MLFP [204]	2017	Mask (latex, paper)	VIS, NIR, Thermal	10	150/1200 (V)	Indoor and outdoor with fixed and random backgrounds
6	CSMAD [205]	2018	Mask (custom silicone)	RGB, Depth, NIR, Thermal	14	104/ 159 (V + I)	Four lighting conditions
7	WMCA [206]	2019	Print (flat), Replay (tablet), Partial (glasses), Mask (plastic, silicone, and paper, Mannequin)	RGB, Depth, NIR, Therma	72	347/1332 (V)	Six sessions with different backgrounds and illumination; pulse data for bonafide recordings
8	CASIA-SURF [161]	2019	Print (flat, wrapped, cut)	RGB, Depth, NIR	1000	3000/ 18,000 (V)	Background removed; Randomly cut eyes, nose or mouth areas
9	CASIA-SURF CeFA [165]	2021	Print (flat, wrapped), Replay, Mask (3D print, silica gel)	RGB, Depth, NIR	1607	300/ 27,900 (V)	Three ethnicities; outdoor & indoor; decoration with wig and glasses
10	PADISI-Face [207]	2021	Print (flat), Replay (tablet, phone), Partial (glasses, funny eye), Mask (plastic, silicone, transparent, Mannequin	RGB, Depth, NIR, SWIR, Thermal	360	1105/ 924 (V)	Indoor, fixed green background, 60-frame sequence of 1984 × 1264 pixel images
11	HySpeFAS [208]	2024	Print attacks, 3D mask attacks, Medical masks, Makeup attacks	SSI	6760	Train: 520/ 3380 (I) VAL: 208/ 728 (I) Test: 1924	Hyperspectral images were expertly reconstructed from SSI images utilizing the TwIST [209]. Each hyperspectral image boasts 30 spectral channels, offering a rich and diverse spectral representation.
12	UniAttackData [210]	2024	Physical Attacks: Print (flat, wrapped), Replay, Mask (3D print, silica gel). Digital Attacks: Adv (6), DeepFake (6)	RGB, Depth, NIR	1800	29706 (V) (Live: 1800, Fake: 27,906)	--
13	Echoface- Spoof [190]	2024	Print (A4 paper), Replay (Pad Pro (2388 × 1668), iPad Air 3 (2224 × 1668))	RGB, Acoustic	--	250,000 (I, A) (82,715, 166,637)	Samsung Edge Note (2560 × 1440) Samsung Galaxy S9 (3264 × 2448) Samsung Galaxy S21 (4216 × 2371) Xiaomi Redmi7 (3264 × 2448)

provides an overview and comparative analysis of multimodal datasets.

5. Research Challenges and Future Research Directions

5.1. FAS-Based Generalization

Challenge: From the analysis of FAS methods in Section 4, it is evident that several effective methods have been proposed within the realm of generalization research. These include adversarial domain adaptation, generative domain adaptation, meta-learning, style alignment, gradient alignment, and various deep representation learning techniques. These methods have significantly improved the performance of FAS in cross-domain scenarios. Moreover, zero-shot learning, few-shot learning, and anomaly detection show promise in handling unknown attacks. These traditional domain adaptation methods typically require simultaneous access to source and target domain data. However, source domain data may not be shared in real-world scenarios due to privacy concerns, security concerns, or other reasons. Therefore, data privacy and security issues need further exploration and resolution in the field of FAS.

Future Research Directions: (1) Source-free domain adaptation (SFDA): SFDA has become a research hotspot in recent years, aiming to perform domain adaptation when source domain data is unavailable. SFDA methods adapt to the target domain using only pre-trained source models and target domain data. Liu et al. [126] combined domain-generalized pretraining with SFDA to enhance the cross-domain generalization ability of FAS models. Some studies have introduced federated learning [211] and prompt learning [136,212] into the DA scenario. For example, Liu et al. [136] introduced class-free prompt learning (CFPL) to improve the cross-domain generalization of FAS. Therefore, future research could explore methods integrating federated learning, prompt learning, and DG techniques for domain adaptation. (2) Multi-domain adaptation: Future research could explore adapting to multiple target domains and effectively transferring knowledge simultaneously. Multi-domain adaptation can help models perform consistently across different devices and environments, improving their generalization capability.

5.2. Multimodal Domain Generalization

Challenge: ① Modality distribution differences: Data distribution varies significantly across modalities (e.g., RGB, depth, infrared), and differences in sensor quality and resolution can lead to unreliable multi-modal live/spoof feature extraction [213]. This may mislead other modalities through cross-modal fusion. ② Imbalance and scarcity of training Samples: The imbalance between genuine and attack samples is more pronounced in multimodal settings. Particularly for new attack types that are scarce, models often excessively rely on the dominant modality with the fastest convergence (i.e., fast modality), which hampers the full utilization of other slower modalities [214]. ③ Insufficient unified multimodal datasets: There are a limited number of datasets available for cross-modal research, especially exceptionally high-quality multimodal datasets, which restricts in-depth exploration in this area.

Future Research Directions: First, create richer multimodal datasets. Second, it is essential to further develop more effective multimodal domain generalization methods for addressing modality unreliability and imbalance. Finally, exploring more lightweight and efficient multimodal FAS algorithms (such as EfficientFormer-V2 [215]) aims to meet real-time detection and low-computation resource requirements, ensuring the safe and reliable application of cross-modal FAS technologies in practical scenarios.

5.3. FAS Based Unsupervised Domain Generalization

Challenge: Currently, the majority of FAS algorithms are based on supervised learning, primarily relying on labeled datasets to distinguish between genuine faces and attack samples. However, obtaining labeled data is labor-intensive and costly, leading to the well-known problem of data scarcity in FAS, which hinders practical applications. In recent years, some studies have begun to explore semi-supervised [118] or self-supervised [125,134,216,217] learning methods aimed at reducing dependence on fully supervised data by leveraging limited labeled data or self-generated pseudo-labels. The model’s generalization capability may be poor if the self-supervised pretext tasks are not highly correlated with the FAS task. A significant challenge for few-shot weakly supervised learning is whether the small number of samples can effectively cover various attack types and ensure the model’s generalization ability. However, these methods are based on pretext tasks, resulting in limited performance and an inability to alleviate actual domain shifts. Furthermore, unsupervised domain generalization (UDG) benchmarks for various scenarios, such as cross-attack types, have yet to be established. Therefore, unsupervised algorithms show great potential in reducing data labeling costs and improving cross-domain generalization capabilities.

Future Research Directions: UDG [218,219] aims to learn a model from an unlabeled set of source domains such that it can semantically cluster images in an unseen target domain. Recently, Qi et al. [220] applied the batch and instance normalization techniques to UDG where there were no labels in the training domains to acquire invariant and transferable features. Liu et al. [146] proposed the first unsupervised domain generalization framework for FAS. In addition, contrastive learning (such as MoCo [221] and SimCLR [222]) can enforce invariance to various augmentations. Therefore, combining contrastive learning with other unsupervised learning strategies to investigate UDG FAS algorithms is possible.

5.4. Timeliness Issues

Challenge: Firstly, most existing algorithms emphasize detection performance and generalization but often overlook the model complexity and computational resources, which limits their application on mobile or low-power devices. For example, competitions and databases have been released to boost research progress for FAS [27,161,165]. These challenges have focused on specific problems that affect the accuracy of the methods, such as multimodal information [162], 3D mask attacks [27], and surveillance scenarios [197]. However, constraints have been imposed on the model’s compactness and efficiency. Secondly, transformer models (such as ViT [135] and Swin-Transformer [223]) suffer from large model sizes and require substantial computational resources. However, increasing accuracy often means more complex models, which can reduce real-time processing capability. Thirdly, there is a trade-off between detection accuracy and speed, thereby making it a key challenge to balance high accuracy with efficient algorithms. Lastly, real-time detection systems must adapt to various practical scenarios, such as lighting conditions, camera quality, and background changes. Existing models often need to improve in response to these dynamic environmental changes.

Future Research Directions: Firstly, to enhance robustness and generalization in real-time detection, techniques like model compression and pruning can be employed to lightweight models should be designed and develop efficient FAS algorithms suitable for low-resource devices, thereby improving real-time performance. In recent years, several lightweight neural networks have been proposed, such as MobileNet-V2 [224], Mobile-ViT [225], and EfficientFormer-V2. These networks will contribute to designing lightweight FAS algorithms. Secondly, online learning and adaptive systems should be researched to enable them to dynamically adjust in changing environments, thereby enhancing model performance and adaptability in complex scenarios.

5.5. Unified Detection

Many existing FRSs treat FLD, deepfake detection, and FR as separate tasks while they are related tasks. So far, only a few efforts have focused on this unified detection task. Deb et al. [226] proposed a unified approach to detect digital attacks (such as deepfakes and adversarial examples) and physical attacks (such as photo, video replay, and 3D mask attacks). Al-Refai et al. [227] designed a multitask ViT-based model that achieved high accuracy for both face presentation attack detection and face representation and matching (FRM). Fang et al. [210] collected a unified physical-digital attack dataset (called UniAttackData) and proposed a unified attack detection framework based on a vision-language model (VLM). They validated the superiority of this unified face attack detection method on the dataset. Yu et al. [228] established the first joint benchmark for spoofing and deepfakes detection. They proposed a new multimodal framework that combined rPPG signals and RGB facial images, achieving optimal detection performance. Shi et al. [229] proposed a new benchmark using a multi-attribute chain of thought (MA-COT) paradigm to evaluate the capabilities of Multi-Modal large language models (MLLMs) in FAS and forgery detection, thereby advancing the development of multimodal and joint detection tasks. The literature [228,229] demonstrated that joint training can significantly enhance generalization capability as spoofing and deepfake detection are highly related tasks. Therefore, joint detection is a novel topic that requires more attention. Future work should establish standard protocols for this task to promote the development of new models. In addition to benchmarks and protocols, extracting more the generalized features and intrinsic cues between these highly related tasks is important to further improve generalization capability.

6. Conclusions

We investigated the evolutionary advancements in FAS algorithms over the past decade, focusing on the significant achievements and scientific trends of DL-based FAS algorithms in the last five years. Early successful attempts focused on constructing efficient classifiers through robust, handcrafted features. Since 2014, there has been a shift from traditional, handcrafted features to modern, data-driven neural network models. Around 2018, research shifted towards domain generalization, including robustness and generalization to unknown domains and attacks. According to statistical results from this review, research on generalization has achieved significant breakthroughs and has expanded to cover various types of attacks and datasets. However, current research still primarily focuses on single-modal (RGB) photo and replay video attacks. To successfully deploy FAS models in more complex scenarios, such as cross-domains, cross-modalities, and mobile device environments, further and deeper investigations are still required. Finally, we analyze the current issues and future research trends in face anti-spoofing algorithms, providing references for forensic research and development within the face community.