Cryptographic identity verification is replacing selfie-based ID checks

At a glance

What this is: This analysis argues that mobile driver’s licenses replace selfie-based ID verification with cryptographic evidence that is harder to fake and easier to trust.

Why it matters: For IAM and NHI teams, the shift matters because assurance, binding, and user activation are becoming policy problems, not image-processing problems.

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.

👉 Read Okta's analysis of mobile driver’s licenses and identity verification

Context

Identity verification has long depended on visual inspection, but that model breaks down when AI can generate convincing fake documents and face video at scale. The core governance issue is the same one IAM teams face with non-human identities: if trust depends on what can be imitated, the control is already weaker than the threat model.

This post treats mobile driver’s licenses as a proof point for a broader identity shift. The central question for practitioners is not whether selfies are inconvenient, but whether a probabilistic check can still carry assurance in environments where cryptographic evidence is available and policy can enforce stronger binding.

Key questions

Q: How should organisations handle identity verification when deepfakes can mimic real users?

A: Organisations should stop treating visual similarity as proof of identity and move high-risk workflows toward cryptographic verification, issuer trust, and device-bound proof of possession. Deepfakes are a scaling problem, so the control needs to fail closed when evidence can be simulated. Use selfies only where the business impact of a false accept is low.

Q: What is the difference between probabilistic and deterministic identity verification?

A: Probabilistic verification estimates whether an identity claim is likely true, usually through image or behaviour matching. Deterministic verification checks a signed claim, a trusted issuer, or a device-bound credential and can return a clear accept or reject. For higher-risk identity decisions, deterministic controls reduce ambiguity and make policy enforcement easier.

Q: When should teams replace selfie checks with stronger evidence?

A: Teams should replace selfie checks when fraud cost is high, when identity is used for account recovery or privileged access, or when stronger issuer-backed credentials are available. If the workflow depends on guessing whether a face or document is genuine, the control is already behind the threat. Stronger evidence should be the default for material decisions.

Q: Why does device binding matter in modern identity assurance?

A: Device binding matters because it turns possession into a verifiable property instead of an assumption. If a credential is stored in non-extractable hardware-backed keys and requires user activation, it is harder to copy, replay, or share remotely. That gives identity systems a stronger basis for trust than a self-declared or visually inspected claim.

Technical breakdown

Why probabilistic identity checks fail under AI-generated fraud

Traditional IDV uses image comparison, liveness checks, and confidence scores to infer whether a presented identity document and face belong together. That works only when the input data is difficult to forge. Generative AI collapses that assumption by producing realistic images, synthetic faces, and manipulated video that satisfy the detector without proving identity. The problem is not just accuracy. It is that the security model depends on visual evidence that can be fabricated faster than humans or models can reliably distinguish it.

Practical implication: treat visual verification as a weak signal unless it is backed by stronger issuer and device assurance.

How cryptographic credentials change identity assurance

A mobile driver’s license is a verifiable digital credential, not an image of a card. The issuer signs the credential, and the verifier checks that signature before accepting the data. That replaces guesswork with deterministic validation. If a single field changes, signature verification fails. This is materially different from document scanning because the relying party is not deciding whether a picture looks real. It is verifying that an authorised issuer created the credential and that the credential has not been altered.

Practical implication: move assurance logic from visual matching into policy that validates signed claims and issuer trust.

Device binding and user activation in the mDL flow

mDLs also shift holder binding away from external biometric review and into the device. The credential is stored behind non-extractable keys, typically in a secure element, and the user must unlock the wallet to present it. That means possession and user presence are enforced at presentation time, not inferred later from a selfie. For identity systems, this matters because the verifier can rely on hardware-backed presentation rather than collecting biometric data or building a remote liveness pipeline.

Practical implication: align assurance policy with device-bound presentation events instead of adding more friction at the verifier.

Threat narrative

Attacker objective: The attacker’s objective is to obtain a trusted account or access path by passing an identity check that cannot distinguish synthetic evidence from legitimate evidence.

1. Entry begins when an attacker uses AI-generated documents or face video to defeat legacy visual identity verification.
2. Escalation occurs when the verifier accepts a probabilistic match as sufficient proof of holder identity.
3. Impact is account creation or takeover using a false identity that passed a weak assurance workflow.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Cryptographic identity evidence is replacing visual approximation as the security baseline. The practical lesson from mDL adoption is that assurance should come from issuer signatures, device binding, and user activation rather than image similarity. That is a better fit for an environment where AI can manufacture convincing visual evidence on demand. Practitioners should treat this as a control-design shift, not a UX enhancement.

Probabilistic verification creates governance debt because it cannot produce a hard yes or no. A confidence score is useful for triage, but it is a weak basis for high-assurance access decisions. In IAM terms, this is the same failure mode seen in loosely governed secrets and service accounts: if the control cannot prove the claim, the policy layer inherits the uncertainty. Practitioners should prefer deterministic evidence wherever the ecosystem supports it.

Holder binding must move closer to the credential, not the verifier. mDLs show that the strongest place to bind a credential is on the device at presentation time, with platform authentication enforcing user presence. That reduces data collection at the verifier and narrows the attack surface around remote biometric storage. Practitioners should use the same principle when designing NHI controls: bind authority as near as possible to the entity that will exercise it.

AI-driven fraud makes stronger evidence classification a governance requirement, not a feature choice. Once an assurance method can be replayed, spoofed, or simulated at scale, it no longer belongs in the trusted path for high-value identity decisions. The mDL model demonstrates that policy can distinguish strong from superior evidence, and that distinction matters for risk acceptance. Practitioners should update assurance policy before fraud pressure forces the change for them.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which means identity assurance failures often persist because teams cannot see the full estate.
• The same governance pattern appears in Ultimate Guide to NHIs and OWASP Non-Human Identity Top 10: weak visibility turns control design into guesswork.

What this signals

Assurance policy will increasingly shift from image-based review to evidence-based acceptance. Practitioners should expect identity journeys to split into low-assurance convenience paths and high-assurance cryptographic paths, especially where fraud losses are material. That also means verification teams need clearer rules for when a claim is accepted because it was signed, not because it looked real.

With 97% of NHIs carrying excessive privileges, the broader lesson is that weak assurance almost always becomes a privilege problem later, whether the subject is a person or an autonomous system. If identity proof is uncertain at enrolment, downstream access decisions inherit that uncertainty. Teams should tighten assurance at the point of trust creation, not after access is already granted.

Identity blast radius: when assurance is weak, the blast radius is not limited to the onboarding workflow. It propagates into account recovery, fraud review, privilege assignment, and audit defensibility. Teams should map where probabilistic checks still sit in high-impact journeys and replace them before those paths become compliance exceptions.

For practitioners

• Reclassify visual checks as low-assurance signals Map selfie and liveness workflows to low-assurance use cases only, then require stronger evidence for onboarding, recovery, and step-up access where fraud impact is material.
• Separate issuer trust from presentation trust Write policy that validates signed issuer claims independently of the user interface path, so the verifier can reject altered or replayed evidence without relying on image analysis.
• Minimise biometric collection at the verifier Prefer device-side user activation and hardware-backed presentation over storing or processing biometric data in central identity systems, especially for remote identity journeys.
• Align assurance tiers to business risk Use higher-assurance evidence for regulated onboarding, account recovery, and privileged access flows, then document where lower-assurance signals are acceptable and where they are not.
• Review fraud assumptions in identity policy Test whether your current workflow still depends on a human or model guessing at authenticity, then replace that dependency wherever deterministic verification exists.

Key takeaways

• AI-generated evidence has pushed selfie-based verification to its practical limit in high-risk identity workflows.
• Cryptographic credentials shift trust from visual guesswork to issuer signatures, device binding, and user activation.
• Practitioners should reserve probabilistic checks for low-risk cases and move material decisions to deterministic assurance.

Key terms

• Mobile Driver’s License: A mobile driver’s license is a digitally issued identity credential stored in a wallet on a user device. It is not a photo of a card. The credential is signed by the issuer and can be presented in a way that proves authenticity, possession, and user presence.
• Verifiable Digital Credential: A verifiable digital credential is structured identity data that can be checked cryptographically by a relying party. Instead of relying on visual inspection, the verifier validates issuer signatures and presentation rules, which gives the control a clearer trust basis than an image-based document.
• Holder Binding: Holder binding is the process of tying a credential to the person using it. In modern identity systems, that binding can be enforced by device authentication and cryptographic presentation rather than by comparing a face to a photo. It is central to higher-assurance identity verification.
• User Activation: User activation is the step where the device owner unlocks a credential or wallet before presentation. It proves that a live user authorised the action at that moment, which strengthens assurance and reduces the need for the verifier to collect or store biometric data.

Deepen your knowledge

Cryptographic identity verification, mobile driver’s licenses, and evidence-based assurance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are designing high-assurance identity flows with similar trust and binding problems, it is worth exploring.

This post draws on content published by Okta: mobile driver’s licenses and the move from selfie checks to cryptographic identity verification. Read the original.