Biometrics systems under spoofing attack: an evaluation methodology and lessons learned