Abstract: Existing adversarial attacks for face anti-spoofing predominantly assume that the model parameters are fully known, and often overlook the transferability of adversarial examples across ...