FakeIDet2: Identity-Aware Forgery Detection
- FakeIDet2 is an identity-aware detection motif that spans diverse applications, including privacy-aware fake ID document screening and deepfake video analysis.
- It employs a methodology using controlled patch extraction, DINOv2-based embeddings, and multi-head self-attention to fuse local and global evidence.
- The associated benchmark evaluates over 900K ID patches under varied attack scenarios, highlighting a strategic privacy–accuracy trade-off in practical deployments.
Searching arXiv for the cited FakeIDet2-related papers and closely related identity-aware detection work. FakeIDet2 is an overloaded designation in recent identity-centric forgery-detection research. In the supplied literature, it most explicitly denotes a privacy-aware fake identity document detector and benchmark built around patch extraction, DINOv2-based embeddings, and attention-based fusion (Muñoz-Haro et al., 14 Aug 2025). The same designation is also attached in the summaries to three identity-aware deepfake-detection systems: Diff-ID, which measures identity loss after attribute alignment in face-swap imagery (Yu et al., 2023); ID-Reveal, which models person-specific temporal facial motion in video (Cozzolino et al., 2020); and an individualized detector that exploits near-idempotency under double neural-network operations for known public figures (Rahman et al., 2023). This suggests that “FakeIDet2” functions less as a single canonical architecture than as a broader identity-aware detection motif.
1. Terminological scope and disambiguation
In the provided material, the name appears in four distinct technical contexts.
| Designation in summary | Domain | Core mechanism |
|---|---|---|
| Diff-ID | DeepFake face-swap detection | Identity-difference quantification after face-swap alignment |
| ID-Reveal | DeepFake video detection | Temporal metric learning on 3DMM motion |
| FakeIDet2 | Fake identity document detection | Privacy-aware patches, DINOv2 embeddings, MHSA fusion |
| Individualized detector | Public-figure deepfake detection | Double-pass reconstruction and identity conditioning |
The document-analysis formulation is the only one whose arXiv title explicitly contains “FakeIDet2” and whose contribution list includes a new public database, a privacy-aware methodology, a detector, and a reproducible benchmark (Muñoz-Haro et al., 14 Aug 2025). By contrast, the three deepfake-detection summaries are identity-aware facial-forensics methods whose supplied details label them as “FakeIDet2” despite different published titles (Yu et al., 2023). This naming overlap is a potential source of confusion. A common misconception is that FakeIDet2 refers to one fixed detector architecture; the supplied evidence instead indicates multiple identity-conditioned formulations with different modalities, objectives, and threat models.
2. Privacy-aware patch methodology for fake identity documents
The 2025 FakeIDet2 framework addresses remote user verification scenarios in which a service platform authenticates a submitted picture of a user’s identity document before granting access to a digital service (Muñoz-Haro et al., 14 Aug 2025). Its starting point is a privacy constraint: real ID data are scarce for research and development because IDs are sensitive documents usually kept private by ID owners and ID Holders. Rather than sharing entire ID images, the method trains on small patches extracted under controlled protocols. The summary states that this both preserves user privacy, because no full ID can be reconstructed, and reduces overfitting to document-wide cues.
Three anonymization levels are defined. In the non-anonymized condition, all regions of the ID are visible. In the pseudo-anonymized condition, only non-sensitive regions are visible and a fixed set of sensitive fields, including name, DOB, and ID number fragments, is blacked out across every image from that ID. In the fully-anonymized condition, all sensitive fields are completely masked.
Patch extraction is also tightly specified. Patch sizes are and pixels, with no overlap and step equal to patch size. Any patch with more than black pixels is discarded. From the remaining patches, each patch is retained with probability , which the summary describes as further preventing reconstruction. Filenames and patch ordering are randomized so that no spatial layout can be inferred. The implementation note states that PyTorch’s unfold is used to crop non-overlapping patches before filtering and sampling.
This privacy-aware design is central to the method’s identity-document setting. It also clarifies a second misconception: anonymization is not treated as a binary pre-processing afterthought, but as an experimental variable that directly mediates the privacy–accuracy trade-off.
3. FakeIDet2-db benchmark and attack surface
FakeIDet2-db is described as a public database comprising over 900K real/fake ID patches extracted from 2,000 ID images (Muñoz-Haro et al., 14 Aug 2025). The summary table gives the underlying acquisition counts: 47 official Spanish IDs, 45 acquisition images per ID from $3$ sensors, $3$ heights, and $5$ lighting conditions, for a total of real ID images. It further reports attack images across all attack types, while the subset used for patching is bona-fide plus 0 fake images, yielding 1 images and 2 total extracted patches from pseudo- and fully-anonymized data at two patch sizes.
Acquisition hardware spans an iPhone 15, a Xiaomi Mi 9T Pro, and a Redmi 9C NFC. Heights are 10 cm, 12.5 cm, and 15 cm above the ID using a 3D-printed jig. Illumination conditions are no-light plus flash, dim-light with or without flash, and bright-light with or without flash.
The attack taxonomy contains three physical attacks. Print attacks scan an ID at 600 dpi, print it on glossy paper, laminate it, and re-photograph it. Screen attacks display each real ID image full-screen on an XDR laptop panel and re-photograph it with a randomly chosen phone. Physical composite attacks print small fields such as name, DOB, and ID-number fragments on matching paper, crop and overlay them onto genuine cards, and photograph the result. The summary explicitly notes that no GAN or synthetic attacks are in FakeIDet2-db itself.
Patch counts expose the class imbalance that later motivates dynamic weighting. For example, at 3 with non-anonymized data, composite patches number 3,810, far below the 52,976–56,017 range of the other classes; at 4, the non-anonymized composite class has 7,931 patches versus more than 211K in the other classes. This suggests why composite attacks are operationally important despite their relatively small patch count.
4. Model architecture and optimization
The detector is organized into three cascaded modules: a Privacy-Aware Patch Extractor, a Patch Embedding Extractor, and Patch Embedding Fusion plus Classifier (Muñoz-Haro et al., 14 Aug 2025). The Patch Embedding Extractor uses a frozen DINOv2 ViT-S/14 backbone, followed by a trainable linear layer that maps the DINOv2 output to a 128-dimensional embedding 5. Patch-level supervision uses four labels: 6.
The loss is AdaFace with dynamic class weights to counter severe class imbalance. The summary presents a generic softmax-based margin loss, then gives CosFace, ArcFace, and AdaFace variants, with AdaFace adapting the margin to the embedding norm. Dynamic class weighting begins from initial weights 7 inversely proportional to class frequencies,
8
and evolves linearly toward 1 over training epochs: 9 The final weighted loss for sample 0 is
1
Patch Embedding Fusion treats the set of learned patch embeddings 2 as a sequence 3. Two stacked Multi-Head Self-Attention layers with residual connections and LayerNorm are then applied. The summary specifies standard projections 4, 5, 6, single-head attention
7
and multi-head aggregation through concatenation and output projection. Attention pooling “a la Bahdanau” collapses the sequence to a single 128-dimensional vector 8, and a one-layer MLP plus sigmoid yields the final score
9
An ID is flagged fake if 0. The Equal Error Rate threshold 1 is defined by
2
Architecturally, the method couples local evidence and document-level reasoning. The summary’s own interpretation is that the dual-module design allows spotting both global artifacts, such as print and screen cues, and localized ones, such as composite edits.
5. Evaluation protocol, performance, and limitations
The benchmark defines four scenarios: intra-database evaluation on FakeIDet2-db with a by-ID 3 train and 4 test split while ensuring the oldest ID version appears only in evaluation; leave-one-attack-out; leave-one-sensor-out; and cross-database testing on DLC-2021, KID34K, and the synthetic Chilean set of Benalcazar et al. (Muñoz-Haro et al., 14 Aug 2025). Metrics follow ISO/IEC 30107-3 through BPCER, APCER, and EER.
The main ablation on 5, non-anonymized patches shows that AdaFace with dynamic weights achieves 6 EER on screen attacks, 7 on print, 8 on composite, and 9 overall. Competing margin-loss variants are uniformly worse overall: CosFace without weighting and with static weighting both yield $3$0 overall EER, CosFace with dynamic weighting yields $3$1, and ArcFace with dynamic weighting yields $3$2.
Comparison against whole-ID processing is more pronounced. Fine-tuned DINOv2 on the whole ID reaches $3$3 overall EER, while FakeIDet2 at $3$4 reaches $3$5, and FakeIDet2 at $3$6 reaches $3$7. The earlier FakeIDet baseline performs poorly on composite attacks, with $3$8 EER at $3$9 and $3$0 at $3$1, versus $3$2 and $3$3 for FakeIDet2.
Anonymization degrades performance in a graded manner. Training on $3$4 patches and evaluating on non-anonymized data yields $3$5 overall EER for non-anonymized training, $3$6 for pseudo-anonymized training, and $3$7 for fully-anonymized training. The summary states that even with pseudo-anonymization, performance is acceptable, enabling a privacy–accuracy trade-off.
Generalization studies reveal where the method fails. In leave-one-attack-out testing with pseudo-anonymized $3$8 training, omitting composite attacks produces $3$9 EER on composite samples and $5$0 overall, while omitting screen attacks produces $5$1 EER on screen attacks. In leave-one-sensor-out evaluation, removing iPhone 15 data from training yields $5$2 overall EER, compared with $5$3 without Xiaomi and $5$4 without Redmi. Cross-database EER is $5$5 on DLC-2021 overall, $5$6 on KID34K overall, and $5$7 on the Benalcazar synthetic set. The summary accordingly identifies three remaining challenges: composite attacks when unseen, domain shift to synthetic GAN fakes, and sensor generalization when the highest-quality camera is absent from training.
These results also address a third misconception. The method is not simply a privacy wrapper around a generic vision transformer. Its empirical advantage depends on patch granularity, imbalance-aware metric learning, and sequence-level fusion.
6. Identity-aware deepfake detection variants associated with the label
The supplied material also associates “FakeIDet2” with three identity-aware deepfake detectors, each operationalizing identity in a different way. Diff-ID explains and measures identity loss induced by facial manipulations by aligning a test image and an authentic reference image of the same person into a common identity-insensitive attribute feature space using a face-swapping generator based on SimSwap and ArcFace (Yu et al., 2023). Given a reference $5$8 and a test $5$9, it forms four swaps 0, 1, 2, and 3, computes masked residual norms, defines normalized Euclidean identity drift 4 and angular drift 5 together with test-branch analogues, and combines them into
6
A threshold 7 separates real and fake samples, and the method uses no learning on fake samples. Frame-level AUC reaches 8 on FF++, 9 on DFD, 0 on CelebDF, and 1 on DeeperForensics-1.0, with JPEG compression from quality factor 100 to 20 causing at most a 2 AUC drop. Its stated limitation is scope: it targets face-swap forgeries with noticeable identity loss and fails on reenactment methods that leave core identity intact.
ID-Reveal instead models how a person moves while talking in video (Cozzolino et al., 2020). After face detection and cropping, each frame is regressed to a 62-dimensional 3DMM coefficient vector consisting of 40 shape, 10 expression, and 12 rigid-pose parameters. A purely convolutional 1D Temporal ID Network with dilated convolutions maps the resulting sequence to 128-dimensional per-frame embeddings with a temporal receptive field of about 51 frames. Metric learning on real videos only brings genuine pairs closer than imposters, while an adversarial 3DMM Generative Network forces the encoder to rely on motion rather than static appearance. At inference, the detector computes
3
against a small gallery of pristine references for the claimed identity and thresholds the result. On DFD facial reenactment, it reports 4 accuracy with AUC 5 in HQ and 6 accuracy with AUC 7 in LQ, with more than 15 points of improvement in accuracy over the best supervised approach on high-compressed videos. Here the identity signal is temporal and behavioral rather than appearance-based.
The individualized public-figure detector takes a third route by exploiting near-idempotency under double neural-network operations (Rahman et al., 2023). For each public figure, a small autoencoder 8, trained in a Faceswap-GAN style on that person’s real videos, reconstructs or simulates deepfake generation for that identity. The method assumes 9 for already fake samples but 0 for authentic ones. An identity-aware feature extractor 1, initialized from a ResNet pretrained on 10M unlabeled faces and fine-tuned via teacher–student distillation, is concatenated with an explicit identity decoder, and two decoupled Siamese MLP branches embed pairs into 2. Training uses a two-pair contrastive loss that pushes authentic versus reconstructed pairs apart while pulling reconstructed versus twice-reconstructed pairs together. On a dataset of approximately 32K images from 45 public figures, it reports AUC 3, compared with 4 for EfficientNetAutoAttB4ST and 5 for Xception, together with a 17% reduction in standard deviation relative to the EfficientNet baseline.
Taken together, these three methods show that the identity-aware detection motif can be instantiated through residual identity drift, person-specific temporal dynamics, or identity-conditioned idempotency. A plausible implication is that the recurring attachment of the “FakeIDet2” label to such systems reflects a shared emphasis on identity as the invariant around which forgery evidence is organized, even though the underlying architectures and application domains differ substantially.