- The paper introduces a compact multimodal generative model leveraging both textual and visual modalities to enhance ID card PAD robustness.
- It employs zero-shot and fine-tuned evaluations across five countries, outperforming unimodal baselines with lower error rates in real-world settings.
- The study highlights limitations of synthetic datasets and emphasizes the need for diverse, realistic data to improve detection accuracy.
A Compact Multimodal Approach for Robust Cross-Domain Presentation Attack Detection on ID Cards
Introduction
Presentation attack detection (PAD) for ID cards remains a high-stakes field in real-world remote identity verification, challenged by the limited availability of labeled, diverse, and privacy-compliant datasets. This paper introduces a compact multimodal approach based on an adapted SmolVLM2 architecture to enhance the robustness of PAD on ID cards across domains and heterogeneous data distributions, integrating both visual and textual modalities. The methodology addresses generalization challenges by comparing classical deep learning, unimodal, and advanced multimodal strategies in extensive cross-dataset and cross-country evaluations. Emphasis is placed on assessing generative and discriminative variants of the model, revealing distinct error and generalization profiles.
Datasets and Threat Model
The evaluation encompasses five countries: Chile, Mexico, Poland, Portugal, and Spain. Chile and Mexico datasets are sourced from genuine ID cards, while those from Poland, Portugal, and Spain comprise open-access synthetic passport datasets. Four attack modes are included: bona fide (authentic), printed (rephoto), screen (on-device display and rephoto), and border (region swap or manipulation). Notably, the genuine datasets present class imbalance, with attack examples outnumbering bona fide cases.
The datasets allow a thorough analysis of the domain shift problem, observing PAD model performance when confronted with data from both real and synthetic ID variants as well as variation in attack implementations.

Figure 1: Examples of four attack types in Chile and Mexico datasets, including Bona Fide, Screen, Border, and Printed categories.

Figure 2: Attack type examples for synthetic datasets (Poland, Portugal, Spain) with Bona Fide, Screen, and Printed attacks.
Model Architectures
Three modeling paradigms are systematically compared:
- Deep Learning Baseline: DenseNet-121, a classical CNN, fine-tuned for binary PAD classification.
- Unimodal Model: SigLIP-SO400M Vision Transformer variant, trained solely on visual modality, isolating the discriminatory power of high-capacity vision encoders.
- Multimodal Model: A compact SmolVLM2-based framework, supporting both textual and visual modalities. Two architectural heads are investigated:
- Generative Structure: The model predicts authenticity by generating dedicated <BONAFIDE> and <ATTACK> tokens conditioned on both image and forensic PAD prompt.
- Discriminative Structure: The model directly outputs class scores via a lightweight classifier attached at a designated text position, bypassing explicit token generation, but still leveraging the fused multimodal context.
Parameter-efficient fine-tuning is conducted via LoRA, targeting only the text decoder side, while the vision encoder remains frozen.
Figure 3: SmolVLM2 structures for PAD on ID cards; generative mode utilizes <FAKE> and <BONAFIDE> tokens, while discriminative adds LoRA during fine-tuning.
Experimental Protocol
All models are trained on the Chile dataset (genuine ID cards) and evaluated across all datasets (genuine and synthetic) in zero-shot, fine-tuned generative, and fine-tuned discriminative settings. Performance is quantified using ISO/IEC 30107-3 metrics: Equal Error Rate (EER), Bona fide Presentation Classification Error Rate (BPCER), and Attack Presentation Classification Error Rate (APCER). Hyperparameters are rigorously optimized using Optuna, and performance is assessed at multiple operating points (B10, B20, B100).
Results
The unimodal SigLIP baseline achieves state-of-the-art EER on the Chile dataset (0.85%), but its performance degrades nontrivially under domain shift (e.g., Mexico EER of 9.17%). Classical DenseNet achieves 2.21% EER on Chile, but fails on cross-country (36.77% EER on Mexico) and on synthetic datasets, where EER exceeds 23%.
Zero-shot (frozen) multimodal models fail to effective PAD (EERs near or above chance, e.g., 50.46% on Chile for SmolVLM2-500M, 45.26% for SmolVLM2-2.2B).
After fine-tuning:
- Generative Structure: SmolVLM2-2.2B achieves 0.93% EER on Chile and 5.99% on Mexico, showing superior cross-country robustness compared to all other methods. Performance advantage is especially evident under strong domain shift, where smaller model variants or non-multimodal models degrade.
- Discriminative Structure: Inferior to the generative counterpart (e.g., Chile EER of 17.08%, Mexico EER of 19.29% for 2.2B). Performs competitively only on some synthetic datasets (Portugal, Poland), but with high instability.
- Synthetic datasets: All models, including strong generative and unimodal, exhibit erratic and often catastrophic failures, with EER and BPCER frequently nearing 100% (especially Spain), indicating a fundamental distribution mismatch with genuine data.

Figure 4: Cross-country DET curves for DenseNet, SigLIP-SO400M, and SmolVLM2 show error profiles under zero-shot, discriminative, and generative settings across five countries.
Discussion
The results reveal that general multimodal pretraining, even with large-scale data, does not endow zero-shot PAD capability on genuinely challenging ID data. Robust PAD on unseen, real ID cards requires targeted supervised adaptation, with generative, prompt-conditioned multimodal approaches providing the best cross-domain transfer. Incorporating explicit multimodal fusion and natural language forensic task prompts, together with sufficient parameter capacity, produces models resilient to country and ID template shifts. Discriminative adaptation or unimodal vision-only training is less robust, suffering a greater loss under distribution shift.
Synthetic datasets, despite their utility for augmenting privacy-compliant data, do not reliably replicate the distributional nuances of bona fide and attack presentation found in operational settings. Failure cases suggest that the reliance on synthetic data benchmarks for PAD should be re-examined, with an urgent need for more realistic, diverse, and privacy-aware data generation protocols.
Implications and Future Work
The findings imply that future practical PAD systems for digital onboarding, KYC, and eID verification should:
- Embrace compact, efficient multimodal generative architectures with explicit task prompting mechanisms.
- Avoid over-relying on synthetic datasets for robustness validation, advocating for larger, cross-country, real-world datasets with representational diversity.
- Develop improved synthetic data generation approaches that more accurately resemble real document artifacts and manipulation strategies.
Further research should investigate more principled multimodal fusion, scalable prompt engineering, domain adaptation transfer, and model interpretability for forensic evidence attribution.
Conclusion
Generative multimodal models, when adapted and fine-tuned with representative, real ID data, demonstrate superior PAD robustness to cross-country and cross-domain variation relative to classical deep learning, unimodal, and discriminative multimodal approaches. Zero-shot performance remains inadequate. Synthetic datasets pose a significant challenge for PAD benchmarking due to fundamental distributional differences. This underscores the need for comprehensive, realistic benchmarks and further advances in multi-domain multimodal PAD methods.