What is the prize for the Biometric Spoofing Challenge?

The total prize pool is $100,000. An A+ Full Bypass of the IAL3 system awards up to $100,000, while a B Grade (Limited Bypass) awards up to $25,000.

What is the cost to enter?

The initial IAL2 remote spoofing stage is free. If successful, the final IAL3 stage requires a $500 refundable entry fee if a significant vulnerability is found.

Who is eligible for the challenge?

Individuals aged 21 and over with a USA identity. Employees of Trust Swiftly are not eligible.

IAL3 Biometric Spoof Challenge

Introduction to the IAL3 Biometric Spoofing Challenge

Trust Swiftly is a pioneer in advanced identity verification. To prove the resilience of our systems, we are announcing a $100,000 Spoof Challenge to rigorously test the biometric security of our NIST IAL3 Identity Verification solution.

We invite skilled security researchers, ethical hackers, and red-teamers to attempt to bypass our identity systems. Due to the rise of Generative AI, threat actors can now bypass most standard remote solutions. IAL3 (Identity Assurance Level 3) is the next frontier in security, and we are committed to offering a solution that is both accessible and future-proof.

The Scenario: "Project Obscura"

Role: Remote Quantum Engineer
Company: Obscura (Fictitious Advanced Tech Firm)
Objective: You are applying for a high-security remote position. The role requires access to classified systems, necessitating a rigorous NIST IAL3 identity-proofing process.

You have already passed the interview. To get the job (and the bounty), you must fake your way through the identity verification using another person's identity or synthetic media, while working as a lone threat actor within the US.

Challenge Objective

Your goal is to bypass the Trust Swiftly IAL3 biometric verification process using advanced spoofing techniques (Presentation Attacks, Deepfakes, Injection). You must demonstrate the ability to impersonate another individual in a remote, in-person, supervised environment.

Prize Structure & Grading

Awards are based on the level of bypass achieved. Only attempts that successfully bypass IAL2 and reach the IAL3 stage are eligible.

Grading System (IAL3 Stage)

A+ (Full Bypass – Up to $100,000): Successfully spoofs all biometric evidence collected during the IAL3 session and meets NIST SP-800-63 requirements.
B (Limited Bypass – Up to $25,000): Demonstrates significant progress in spoofing multiple biometrics (including facial) and showcasing potential vulnerabilities, but does not entirely bypass all NIST requirements.
C and Below (Fail): No discernible attempt at biometric spoofing or easily detected attempts.

Important Note: The final grade is determined by Trust Swiftly's review team based on the recorded IAL3 session and submitted documentation. IAL2 is expected to be bypassed as part of the qualification process and does not result in compensation.

Rules and Guidelines

1. Eligibility

Open to individuals aged 21+ with a USA identity.
Employees/Contractors of Trust Swiftly are ineligible.

2. Entry Fee (IAL3 Stage Only)

There is no cost to attempt the IAL2 stage.

Upon passing IAL2 and being invited to IAL3, a $500 USD fee is required.
This fee covers the hard costs of human experts grading the IAL3 attempt.
Refund Policy: The fee is refundable if a significant bypass (Grade A or B) is discovered.

3. Attempt Limits & Security

One Attempt Only: You get one shot at the full IAL2/IAL3 cycle to prevent reverse engineering.
Biometric Ban: Your biometrics will be recorded. Future attempts using your real biometrics will be flagged. Data is deleted post-challenge.

Scope of the Challenge

In Scope

Presentation attacks (photos, masks, deepfakes).
Replay attacks & Injection attacks.
Synthetic voice generation & cloning.
Use of commercially available hardware (under $10k).

Out of Scope

Credential compromise (hacking accounts).
XSS, SQL Injection, web app vulnerabilities.
Social engineering (phishing employees).
DDoS / Infrastructure attacks.
Physical tampering with Kiosks (unless instructed).

Technical Requirements

Reproducibility: Solution must be reproducible and cost-effective (<$10,000 USD).
Documentation: You must document all tools, versions, and methodologies.
Screen Recording: For IAL2, you must record your screen showing both the input stream (spoof attempt) and the output stream.

Challenge Process: IAL2 to IAL3

Stage 1: IAL2 Remote Proofing (Qualifier)

Register: Visit the Application Page.
Execute: Complete the remote identity verification using your webcam/mic and spoofing tools.
Result: If you fool the system, you are invited to Stage 2.

Stage 2: IAL3 Remote Supervised Kiosk

Schedule: Pay the entry fee and book a slot (9AM - 5PM EST).
Location: We will designate a secure coworking space or office near you (US only).
The Attack: You will go to the kiosk. You will interact remotely with a Trust Swiftly agent via the kiosk. You must use your spoofing tools/methodology during this 10-15 minute session under supervision.

FAQ

How do you prevent cheating?
Anti-spoofing techniques are dynamic. We verify your real biometrics before the IAL3 review to ensure the spoofed data is indeed different from your actual identity.
Will I get feedback?
Generally, no, unless the attack is novel enough to warrant a debrief for security research purposes.

Disclaimer: Trust Swiftly reserves the right to modify these rules. Participation constitutes acceptance of terms.

Ready to break the unbreakable?

Prove your skills and help secure the future of digital identity.

Apply Now