Biometric liveness for AI-driven fraud in financial services

At a glance

What this is: This is a product announcement about biometric liveness for remote identity verification, with the key finding that AI-driven fraud now requires stronger proof of presence in financial transactions.

Why it matters: It matters to IAM practitioners because fraud controls, customer authentication, and identity proofing increasingly overlap across human identity, NHI-assisted attack tooling, and regulated financial workflows.

👉 Read iProov's announcement on Dynamic Liveness for MoMo in Vietnam

Context

Remote identity verification fails when a system cannot distinguish a live person from a synthetic impersonation. In financial services, that gap is no longer theoretical because deepfakes and digital injection attacks now target the trust layer that binds authentication, account recovery, and transaction approval together.

For IAM teams, the practical question is how assurance holds up when AI can fabricate a convincing face or video stream at the point of verification. That shifts biometric design from convenience and friction reduction toward risk control, regulatory defensibility, and stronger evidence that the person on screen is genuinely present.

Key questions

Q: How should security teams use liveness checks in high-risk identity journeys?

A: Security teams should reserve stronger liveness checks for account opening, recovery, and high-value transactions where impersonation would create material loss. The control should prove presence at the moment of verification, not just compare a face to an enrolment record. That makes liveness an assurance gate, not a cosmetic layer in the login flow.

Q: Why do deepfakes create a different risk than ordinary credential theft?

A: Deepfakes attack the evidence used to grant trust, while credential theft attacks the secret used to get access. In practice, that means a fraudster may bypass weak identity proofing without ever stealing a password or token. Organisations need controls that detect synthetic media and injected sessions before the identity decision is finalised.

Q: What signals show that biometric verification is not strong enough?

A: Common warning signs include repeated verification success from unusual devices, inconsistent session behaviour, low challenge completion quality, and fraud losses despite passing biometric checks. If the same identity proofing path is used for both low-risk and high-risk actions, the programme is probably over-trusting a single control. Measure outcomes by fraud reduction, not just completion rates.

Q: Who should own biometric assurance decisions in a financial services programme?

A: Ownership should sit across IAM, fraud operations, security architecture, and compliance because biometric assurance affects identity risk and regulatory evidence at the same time. The control is too consequential to live only inside a product team or only inside fraud review. Clear ownership should define what level of proof is required for each user journey.

Technical breakdown

Why dynamic liveness matters in remote biometric verification

Dynamic liveness checks whether the person presenting to camera is physically present in the moment rather than replaying a photo, video, or synthetic image. In remote onboarding and transaction approval, that distinction matters because static biometrics can be copied, replayed, or injected into the session. Systems like this usually combine challenge-response prompts, timing checks, and sensor signals to make spoofing harder. The goal is not perfect identity certainty, but materially higher confidence that the biometric sample comes from a live human at the point of use.

Practical implication: place liveness at the exact point where account trust is created or renewed, not only at initial signup.

Digital injection attacks and deepfake fraud paths

Digital injection attacks bypass the camera itself by feeding synthetic or manipulated media into the verification pipeline. Deepfakes go a step further by creating highly convincing facial or voice impersonations that can defeat weaker presence checks. In practice, the attack surface spans capture device, application layer, and backend decisioning, so defenders need controls that validate the authenticity of the session as well as the image. The important distinction is between seeing a face and proving the capture is live, local, and untampered.

Practical implication: treat the capture channel as part of the trust boundary and test for injected media, not just identity mismatch.

Biometric assurance and financial transaction risk

Biometric assurance is the level of confidence a system can assign to a claimed identity before it allows a higher-risk action. In payments and fintech, that often determines whether a user can enroll a device, recover an account, or approve a transaction. Strong assurance matters because fraudsters do not need to own the whole account if they can pass the identity step once. The article’s regulatory context also shows that assurance is becoming a compliance question, not only a fraud-prevention question.

Practical implication: map biometric assurance to transaction risk tiers and regulatory obligations rather than using one verification path for all actions.

NHI Mgmt Group analysis

Dynamic liveness is becoming a control for proving presence, not merely identity. The article shows that synthetic media has pushed verification beyond matching a face to an enrolment record. In financial services, the real governance question is whether the system can prove the person is present at the moment of challenge. Practitioners should treat that as a distinct assurance requirement, not a cosmetic upgrade to biometric login.

Decision 2345 signals that biometric assurance is moving from fraud policy into regulated identity control. Once stronger biometric authentication is mandated for online transactions, the identity function stops being a front-end convenience layer and becomes part of compliance evidence. That changes governance ownership, testing expectations, and auditability across fintech and payments programmes. Teams need controls that can stand up to both fraud review and regulatory scrutiny.

Proof-of-presence is the named concept this market is converging on. Dynamic liveness, deepfake resistance, and injection detection all point to the same requirement: the verifier must establish that a real human was present at the time of the interaction. That requirement is becoming a baseline for high-risk remote transactions, especially where AI can manufacture convincing false inputs. Practitioners should stop treating biometric checks as identity matches alone and start treating them as presence evidence.

Human identity assurance and NHI-driven fraud tooling are now part of the same attack economy. The article’s focus on generative AI-driven fraud shows that machine-assisted deception is increasingly aimed at human verification workflows. That matters because the defender is not just securing a login journey, but a broader trust chain where synthetic content, automation, and account abuse reinforce one another. Security leaders should evaluate identity controls as part of a blended fraud and IAM operating model.

Financial services will keep pulling identity controls toward higher assurance thresholds. As regulators and fraud patterns tighten the acceptable error rate, weaker passive checks will become harder to defend in high-risk journeys. That does not mean every flow needs the same control stack, but it does mean trust decisions must be risk-tiered and evidence-backed. Practitioners should align assurance strength to transaction value, account sensitivity, and local regulatory expectations.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• 1 in 4 organisations are already investing in dedicated NHI security capabilities, according to the same research, which shows that governance investment is moving from awareness to execution.
• For a broader control lens, read Ultimate Guide to NHIs for the governance and lifecycle foundations that underpin identity assurance programmes.

What this signals

Proof-of-presence will become a baseline control in any regulated journey where synthetic media can influence trust. As biometric assurance rises in importance, teams should expect the same control to be judged through fraud, IAM, and audit lenses rather than as a standalone feature.

The sharper programme question is whether your current verification stack distinguishes live interaction from a convincing replay. If it does not, the control may be reducing friction while leaving the trust boundary exposed.

Identity teams that already govern third-party access and lifecycle risk should extend the same discipline to biometric assurance decisions, using NIST Cybersecurity Framework 2.0 as the organizing model for governance, detection, and response.

For practitioners

• Define assurance tiers for remote verification Map onboarding, recovery, and transaction approval flows to different assurance levels so high-risk actions require stronger proof of presence than low-risk actions.
• Test for injected media and synthetic replay Run fraud tests that simulate deepfakes, replayed video, and digitally injected camera feeds to confirm the verification path detects tampering before approval.
• Align biometric controls to regulatory evidence Document how liveness, transaction risk, and audit evidence satisfy local biometric authentication requirements in regulated payment journeys.
• Separate presence proof from identity match Review whether current controls only confirm a likeness or actually prove the user was live, local, and interacting at the time of verification.

Key takeaways

• AI-generated impersonation is changing biometric verification from a convenience control into a high-assurance trust gate.
• The most relevant failure is not a weak face match, but a verification flow that cannot prove the user was genuinely present.
• Practitioners should align liveness strength, fraud testing, and regulatory evidence to the risk level of each identity journey.

Key terms

• Dynamic Liveness: A biometric verification method that checks whether a real person is physically present during capture. It tries to defeat photo, video, replay, and synthetic-media attacks by assessing live interaction signals rather than relying only on facial similarity.
• Digital Injection Attack: An attack in which manipulated or synthetic media is inserted into a verification pipeline instead of being captured directly from the camera. The goal is to make a fraudulent input look like a legitimate live session and pass identity checks without an actual person present.
• Biometric Assurance: The level of confidence a system has that a biometric event truly represents the claimed person at the required moment. In regulated and high-risk workflows, it becomes an identity control, a fraud control, and an audit signal at the same time.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by iProov: MoMo deploys Dynamic Liveness to counter AI-driven fraud in Vietnam. Read the original.