Papers
Topics
Authors
Recent
Search
2000 character limit reached

FakeIDet2: Identity-Aware Forgery Detection

Updated 8 July 2026
  • FakeIDet2 is an identity-aware detection motif that spans diverse applications, including privacy-aware fake ID document screening and deepfake video analysis.
  • It employs a methodology using controlled patch extraction, DINOv2-based embeddings, and multi-head self-attention to fuse local and global evidence.
  • The associated benchmark evaluates over 900K ID patches under varied attack scenarios, highlighting a strategic privacy–accuracy trade-off in practical deployments.

Searching arXiv for the cited FakeIDet2-related papers and closely related identity-aware detection work. FakeIDet2 is an overloaded designation in recent identity-centric forgery-detection research. In the supplied literature, it most explicitly denotes a privacy-aware fake identity document detector and benchmark built around patch extraction, DINOv2-based embeddings, and attention-based fusion (Muñoz-Haro et al., 14 Aug 2025). The same designation is also attached in the summaries to three identity-aware deepfake-detection systems: Diff-ID, which measures identity loss after attribute alignment in face-swap imagery (Yu et al., 2023); ID-Reveal, which models person-specific temporal facial motion in video (Cozzolino et al., 2020); and an individualized detector that exploits near-idempotency under double neural-network operations for known public figures (Rahman et al., 2023). This suggests that “FakeIDet2” functions less as a single canonical architecture than as a broader identity-aware detection motif.

1. Terminological scope and disambiguation

In the provided material, the name appears in four distinct technical contexts.

Designation in summary Domain Core mechanism
Diff-ID DeepFake face-swap detection Identity-difference quantification after face-swap alignment
ID-Reveal DeepFake video detection Temporal metric learning on 3DMM motion
FakeIDet2 Fake identity document detection Privacy-aware patches, DINOv2 embeddings, MHSA fusion
Individualized detector Public-figure deepfake detection Double-pass reconstruction and identity conditioning

The document-analysis formulation is the only one whose arXiv title explicitly contains “FakeIDet2” and whose contribution list includes a new public database, a privacy-aware methodology, a detector, and a reproducible benchmark (Muñoz-Haro et al., 14 Aug 2025). By contrast, the three deepfake-detection summaries are identity-aware facial-forensics methods whose supplied details label them as “FakeIDet2” despite different published titles (Yu et al., 2023). This naming overlap is a potential source of confusion. A common misconception is that FakeIDet2 refers to one fixed detector architecture; the supplied evidence instead indicates multiple identity-conditioned formulations with different modalities, objectives, and threat models.

2. Privacy-aware patch methodology for fake identity documents

The 2025 FakeIDet2 framework addresses remote user verification scenarios in which a service platform authenticates a submitted picture of a user’s identity document before granting access to a digital service (Muñoz-Haro et al., 14 Aug 2025). Its starting point is a privacy constraint: real ID data are scarce for research and development because IDs are sensitive documents usually kept private by ID owners and ID Holders. Rather than sharing entire ID images, the method trains on small patches extracted under controlled protocols. The summary states that this both preserves user privacy, because no full ID can be reconstructed, and reduces overfitting to document-wide cues.

Three anonymization levels are defined. In the non-anonymized condition, all regions of the ID are visible. In the pseudo-anonymized condition, only non-sensitive regions are visible and a fixed set of sensitive fields, including name, DOB, and ID number fragments, is blacked out across every image from that ID. In the fully-anonymized condition, all sensitive fields are completely masked.

Patch extraction is also tightly specified. Patch sizes are 64×6464\times64 and 128×128128\times128 pixels, with no overlap and step equal to patch size. Any patch with more than 80%80\% black pixels is discarded. From the remaining patches, each patch is retained with probability p=0.9p=0.9, which the summary describes as further preventing reconstruction. Filenames and patch ordering are randomized so that no spatial layout can be inferred. The implementation note states that PyTorch’s unfold is used to crop non-overlapping patches before filtering and sampling.

This privacy-aware design is central to the method’s identity-document setting. It also clarifies a second misconception: anonymization is not treated as a binary pre-processing afterthought, but as an experimental variable that directly mediates the privacy–accuracy trade-off.

3. FakeIDet2-db benchmark and attack surface

FakeIDet2-db is described as a public database comprising over 900K real/fake ID patches extracted from 2,000 ID images (Muñoz-Haro et al., 14 Aug 2025). The summary table gives the underlying acquisition counts: 47 official Spanish IDs, 45 acquisition images per ID from $3$ sensors, $3$ heights, and $5$ lighting conditions, for a total of 47×45=211547\times45=2\,115 real ID images. It further reports 3×2115=63453\times2\,115=6\,345 attack images across all attack types, while the subset used for patching is 10001\,000 bona-fide plus 128×128128\times1280 fake images, yielding 128×128128\times1281 images and 128×128128\times1282 total extracted patches from pseudo- and fully-anonymized data at two patch sizes.

Acquisition hardware spans an iPhone 15, a Xiaomi Mi 9T Pro, and a Redmi 9C NFC. Heights are 10 cm, 12.5 cm, and 15 cm above the ID using a 3D-printed jig. Illumination conditions are no-light plus flash, dim-light with or without flash, and bright-light with or without flash.

The attack taxonomy contains three physical attacks. Print attacks scan an ID at 600 dpi, print it on glossy paper, laminate it, and re-photograph it. Screen attacks display each real ID image full-screen on an XDR laptop panel and re-photograph it with a randomly chosen phone. Physical composite attacks print small fields such as name, DOB, and ID-number fragments on matching paper, crop and overlay them onto genuine cards, and photograph the result. The summary explicitly notes that no GAN or synthetic attacks are in FakeIDet2-db itself.

Patch counts expose the class imbalance that later motivates dynamic weighting. For example, at 128×128128\times1283 with non-anonymized data, composite patches number 3,810, far below the 52,976–56,017 range of the other classes; at 128×128128\times1284, the non-anonymized composite class has 7,931 patches versus more than 211K in the other classes. This suggests why composite attacks are operationally important despite their relatively small patch count.

4. Model architecture and optimization

The detector is organized into three cascaded modules: a Privacy-Aware Patch Extractor, a Patch Embedding Extractor, and Patch Embedding Fusion plus Classifier (Muñoz-Haro et al., 14 Aug 2025). The Patch Embedding Extractor uses a frozen DINOv2 ViT-S/14 backbone, followed by a trainable linear layer that maps the DINOv2 output to a 128-dimensional embedding 128×128128\times1285. Patch-level supervision uses four labels: 128×128128\times1286.

The loss is AdaFace with dynamic class weights to counter severe class imbalance. The summary presents a generic softmax-based margin loss, then gives CosFace, ArcFace, and AdaFace variants, with AdaFace adapting the margin to the embedding norm. Dynamic class weighting begins from initial weights 128×128128\times1287 inversely proportional to class frequencies,

128×128128\times1288

and evolves linearly toward 1 over training epochs: 128×128128\times1289 The final weighted loss for sample 80%80\%0 is

80%80\%1

Patch Embedding Fusion treats the set of learned patch embeddings 80%80\%2 as a sequence 80%80\%3. Two stacked Multi-Head Self-Attention layers with residual connections and LayerNorm are then applied. The summary specifies standard projections 80%80\%4, 80%80\%5, 80%80\%6, single-head attention

80%80\%7

and multi-head aggregation through concatenation and output projection. Attention pooling “a la Bahdanau” collapses the sequence to a single 128-dimensional vector 80%80\%8, and a one-layer MLP plus sigmoid yields the final score

80%80\%9

An ID is flagged fake if p=0.9p=0.90. The Equal Error Rate threshold p=0.9p=0.91 is defined by

p=0.9p=0.92

Architecturally, the method couples local evidence and document-level reasoning. The summary’s own interpretation is that the dual-module design allows spotting both global artifacts, such as print and screen cues, and localized ones, such as composite edits.

5. Evaluation protocol, performance, and limitations

The benchmark defines four scenarios: intra-database evaluation on FakeIDet2-db with a by-ID p=0.9p=0.93 train and p=0.9p=0.94 test split while ensuring the oldest ID version appears only in evaluation; leave-one-attack-out; leave-one-sensor-out; and cross-database testing on DLC-2021, KID34K, and the synthetic Chilean set of Benalcazar et al. (Muñoz-Haro et al., 14 Aug 2025). Metrics follow ISO/IEC 30107-3 through BPCER, APCER, and EER.

The main ablation on p=0.9p=0.95, non-anonymized patches shows that AdaFace with dynamic weights achieves p=0.9p=0.96 EER on screen attacks, p=0.9p=0.97 on print, p=0.9p=0.98 on composite, and p=0.9p=0.99 overall. Competing margin-loss variants are uniformly worse overall: CosFace without weighting and with static weighting both yield $3$0 overall EER, CosFace with dynamic weighting yields $3$1, and ArcFace with dynamic weighting yields $3$2.

Comparison against whole-ID processing is more pronounced. Fine-tuned DINOv2 on the whole ID reaches $3$3 overall EER, while FakeIDet2 at $3$4 reaches $3$5, and FakeIDet2 at $3$6 reaches $3$7. The earlier FakeIDet baseline performs poorly on composite attacks, with $3$8 EER at $3$9 and $3$0 at $3$1, versus $3$2 and $3$3 for FakeIDet2.

Anonymization degrades performance in a graded manner. Training on $3$4 patches and evaluating on non-anonymized data yields $3$5 overall EER for non-anonymized training, $3$6 for pseudo-anonymized training, and $3$7 for fully-anonymized training. The summary states that even with pseudo-anonymization, performance is acceptable, enabling a privacy–accuracy trade-off.

Generalization studies reveal where the method fails. In leave-one-attack-out testing with pseudo-anonymized $3$8 training, omitting composite attacks produces $3$9 EER on composite samples and $5$0 overall, while omitting screen attacks produces $5$1 EER on screen attacks. In leave-one-sensor-out evaluation, removing iPhone 15 data from training yields $5$2 overall EER, compared with $5$3 without Xiaomi and $5$4 without Redmi. Cross-database EER is $5$5 on DLC-2021 overall, $5$6 on KID34K overall, and $5$7 on the Benalcazar synthetic set. The summary accordingly identifies three remaining challenges: composite attacks when unseen, domain shift to synthetic GAN fakes, and sensor generalization when the highest-quality camera is absent from training.

These results also address a third misconception. The method is not simply a privacy wrapper around a generic vision transformer. Its empirical advantage depends on patch granularity, imbalance-aware metric learning, and sequence-level fusion.

6. Identity-aware deepfake detection variants associated with the label

The supplied material also associates “FakeIDet2” with three identity-aware deepfake detectors, each operationalizing identity in a different way. Diff-ID explains and measures identity loss induced by facial manipulations by aligning a test image and an authentic reference image of the same person into a common identity-insensitive attribute feature space using a face-swapping generator based on SimSwap and ArcFace (Yu et al., 2023). Given a reference $5$8 and a test $5$9, it forms four swaps 47×45=211547\times45=2\,1150, 47×45=211547\times45=2\,1151, 47×45=211547\times45=2\,1152, and 47×45=211547\times45=2\,1153, computes masked residual norms, defines normalized Euclidean identity drift 47×45=211547\times45=2\,1154 and angular drift 47×45=211547\times45=2\,1155 together with test-branch analogues, and combines them into

47×45=211547\times45=2\,1156

A threshold 47×45=211547\times45=2\,1157 separates real and fake samples, and the method uses no learning on fake samples. Frame-level AUC reaches 47×45=211547\times45=2\,1158 on FF++, 47×45=211547\times45=2\,1159 on DFD, 3×2115=63453\times2\,115=6\,3450 on CelebDF, and 3×2115=63453\times2\,115=6\,3451 on DeeperForensics-1.0, with JPEG compression from quality factor 100 to 20 causing at most a 3×2115=63453\times2\,115=6\,3452 AUC drop. Its stated limitation is scope: it targets face-swap forgeries with noticeable identity loss and fails on reenactment methods that leave core identity intact.

ID-Reveal instead models how a person moves while talking in video (Cozzolino et al., 2020). After face detection and cropping, each frame is regressed to a 62-dimensional 3DMM coefficient vector consisting of 40 shape, 10 expression, and 12 rigid-pose parameters. A purely convolutional 1D Temporal ID Network with dilated convolutions maps the resulting sequence to 128-dimensional per-frame embeddings with a temporal receptive field of about 51 frames. Metric learning on real videos only brings genuine pairs closer than imposters, while an adversarial 3DMM Generative Network forces the encoder to rely on motion rather than static appearance. At inference, the detector computes

3×2115=63453\times2\,115=6\,3453

against a small gallery of pristine references for the claimed identity and thresholds the result. On DFD facial reenactment, it reports 3×2115=63453\times2\,115=6\,3454 accuracy with AUC 3×2115=63453\times2\,115=6\,3455 in HQ and 3×2115=63453\times2\,115=6\,3456 accuracy with AUC 3×2115=63453\times2\,115=6\,3457 in LQ, with more than 15 points of improvement in accuracy over the best supervised approach on high-compressed videos. Here the identity signal is temporal and behavioral rather than appearance-based.

The individualized public-figure detector takes a third route by exploiting near-idempotency under double neural-network operations (Rahman et al., 2023). For each public figure, a small autoencoder 3×2115=63453\times2\,115=6\,3458, trained in a Faceswap-GAN style on that person’s real videos, reconstructs or simulates deepfake generation for that identity. The method assumes 3×2115=63453\times2\,115=6\,3459 for already fake samples but 10001\,0000 for authentic ones. An identity-aware feature extractor 10001\,0001, initialized from a ResNet pretrained on 10M unlabeled faces and fine-tuned via teacher–student distillation, is concatenated with an explicit identity decoder, and two decoupled Siamese MLP branches embed pairs into 10001\,0002. Training uses a two-pair contrastive loss that pushes authentic versus reconstructed pairs apart while pulling reconstructed versus twice-reconstructed pairs together. On a dataset of approximately 32K images from 45 public figures, it reports AUC 10001\,0003, compared with 10001\,0004 for EfficientNetAutoAttB4ST and 10001\,0005 for Xception, together with a 17% reduction in standard deviation relative to the EfficientNet baseline.

Taken together, these three methods show that the identity-aware detection motif can be instantiated through residual identity drift, person-specific temporal dynamics, or identity-conditioned idempotency. A plausible implication is that the recurring attachment of the “FakeIDet2” label to such systems reflects a shared emphasis on identity as the invariant around which forgery evidence is organized, even though the underlying architectures and application domains differ substantially.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to FakeIDet2.