Subscribe to the Non-Human & AI Identity Journal

How can organisations reduce fraud from synthetic faces and face swaps?

Shift from standalone verification decisions to session-level risk evaluation. Correlate capture quality, camera behaviour, document checks, and repeat patterns across attempts so synthetic identities and swapped faces are easier to separate from legitimate users.

Why This Matters for Security Teams

Synthetic faces and face swaps turn identity proofing into a moving target. A single “match” decision is no longer enough when attackers can present a real document, a convincing synthetic selfie, and a replayed or swapped face in separate steps. Current guidance suggests treating these events as a fraud and session-risk problem, not just a biometric accuracy problem. Controls that work only at enrollment are weaker once an attacker can iterate attempts, vary devices, or route traffic through automation.

Security teams should anchor decisions in layered evidence and policy, using sources such as Ultimate Guide to NHIs for identity lifecycle thinking and NIST SP 800-53 Rev 5 Security and Privacy Controls for control mapping. The practical lesson is that a face image should never carry the full trust burden by itself.

In practice, many security teams encounter synthetic face fraud only after attackers have already tested the process enough times to find the weakest step.

How It Works in Practice

The most effective approach is to score the full verification session instead of judging the selfie in isolation. That means combining document authenticity, liveness signals, device integrity, capture timing, image consistency, and repeat-attempt patterns into one runtime risk decision. When those signals are evaluated together, it becomes harder for a swapped face or generated portrait to pass as a legitimate user.

Useful signals include:

  • Camera and sensor behaviour that changes under screen replay or injected media
  • Face and document mismatch across retries, devices, or network locations
  • Unusual velocity, such as many failed attempts from related infrastructure
  • Session coherence checks that compare the current capture with earlier steps
  • Step-up review when confidence drops rather than automatic denial or acceptance

This is where policy matters. NIST control language around verification strength and risk-based access decisions can support a stronger workflow, while the broader NHI guidance in Ultimate Guide to NHIs helps teams think about identity as something to govern across its whole lifecycle, not only at first proofing. In practice, teams should also maintain clear thresholds for manual review, document escalation paths, and retain evidence needed for fraud analysis and model tuning.

Where possible, decisions should be context-aware and time-bounded rather than static. That means using current risk, not just a one-time match score, to decide whether the session continues, steps up, or stops. These controls tend to break down in high-volume onboarding funnels because attackers can adapt quickly to fixed thresholds and exploit inconsistent reviewer decisions.

Common Variations and Edge Cases

Tighter face verification often increases user friction, requiring organisations to balance fraud reduction against abandonment and support load. That tradeoff is real, especially for mobile-first onboarding, low-bandwidth users, and accessibility-sensitive populations. Best practice is evolving, and there is no universal standard for how much biometric resistance is enough in every environment.

Some environments need special treatment. Remote onboarding for financial services may justify stronger liveness checks, while low-risk account recovery may rely more on device history, prior session behaviour, or alternate proofing factors. Face-swap fraud also becomes harder to separate from legitimate edge cases when users change appearance, use assistive technology, or share devices with family members. Those situations require careful exception handling, not blanket rejection.

Organisations should also watch for models and vendors that overstate “deepfake detection” as a standalone fix. Fraud teams get better results when face verification is one control in a broader session-risk program that includes step-up authentication, human review for borderline cases, and continuous feedback from confirmed fraud outcomes. The NHI lesson from Ultimate Guide to NHIs still applies: identity trust weakens fast when privileges, evidence, and review are not continuously governed.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10, OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.AA-01 Supports stronger identity verification tied to assurance and authentication outcomes.
NIST AI RMF Risk governance is needed where biometric and model decisions affect identity outcomes.
OWASP Non-Human Identity Top 10 NHI-04 Identity trust should not rely on a single static factor or weak lifecycle controls.
OWASP Agentic AI Top 10 AIA-03 Fraud automation often chains tools and retries, mirroring agentic attack behaviour.
CSA MAESTRO GOV-2 Governance should define fraud decision ownership, escalation, and control testing.

Tie face-proofing decisions to assurance levels and require step-up checks when risk increases.