Identity verification must now absorb deepfakes and synthetic impersonation

At a glance

What this is: This is iProov’s 2025 year-in-review and product update, showing that high-assurance identity verification is being positioned as a frontline defence against deepfakes and synthetic impersonation.

Why it matters: It matters because IAM teams have to rethink how human authentication, fraud controls, and identity proofing hold up when attackers can fabricate convincing media at scale.

By the numbers:

• iProov surpassed one million daily transactions in 2025.
• 62% of organizations experienced a deepfake attack in the past year.
• Only 0.1% could accurately identify deepfake media in independent research among 2,000 consumers.

👉 Read iProov’s full analysis of deepfake-driven identity verification risk

Context

Identity verification is under pressure because synthetic media has made impersonation cheap, fast, and convincing. For human IAM, the issue is no longer only whether a user knows a password or completes MFA, but whether the person on the screen is real, live, and present at the point of access.

That shift matters across customer, workforce, and high-assurance onboarding flows. When attackers can bypass weak checks with face swaps, virtual cameras, or replayed video, traditional authentication controls become easier to route around than to break outright.

Key questions

Q: How should organisations handle deepfake risk in human identity verification?

A: Treat deepfake risk as a verification integrity issue, not just a fraud problem. Use liveness testing, anti-replay controls, and proofing methods that can distinguish a real human from synthetic media. Then align the strongest checks to the highest-risk enrolment, recovery, and transaction flows so impostors cannot turn a convincing image into trusted access.

Q: Why do biometric controls still fail against impersonation attacks?

A: Biometrics fail when they verify resemblance instead of presence. If the control does not test for live human activity, an attacker can use deepfakes, injected video, or replayed media to satisfy the system. The failure is usually in the assurance model, not the biometric concept itself.

Q: How can security teams know whether identity verification is actually working?

A: Look for evidence that the control survives adversarial testing, not just internal demos. Strong signals include resistance to face swaps, virtual cameras, and replay attacks, plus consistent outcomes in accredited tests and real-world fraud monitoring. If those signals are missing, the programme is assuming trust rather than proving it.

Q: Who is accountable when a deepfake bypasses identity controls?

A: Accountability usually sits with the team that owns identity assurance, fraud controls, and recovery design together, because the failure spans multiple governance boundaries. If the programme allowed weak proofing, weak liveness, or weak recovery paths, the control owner must treat that as an identity governance gap, not an isolated incident.

Technical breakdown

Deepfake-driven identity attacks and biometric MFA

Deepfake-driven fraud changes the attack surface from credential theft to authenticity theft. Instead of stealing a password, attackers can use synthetic media, face swaps, or injected video streams to satisfy weak proofing steps and impersonate a legitimate user. Biometric MFA can raise the bar when it includes liveness and presentation-attack resistance, but it only works if the control tests for a real human presence, not just a matching image. The article’s examples show that verification quality matters more than the channel name. Practical implication: teams should test whether their identity proofing actually resists synthetic media, not just whether it adds another step.

Practical implication: validate identity proofing against deepfake, replay, and injection attacks, not only against password theft.

Synthetic identity fraud in onboarding and account recovery

Onboarding and account recovery are high-value targets because they often sit outside steady-state authentication flows. Once an attacker convinces a system that a synthetic persona is real, the breach can turn into a durable account foothold that is hard to unwind. The article’s references to KYC weakness and synthetic identities show a familiar pattern: trust is granted too early, then reused later in the lifecycle. That is an IAM and fraud-prevention problem at the same time. Practical implication: tighten proofing and recovery controls where identity is first established or re-established.

Practical implication: harden onboarding and account recovery with stronger proofing, step-up checks, and challenge diversity.

Why identity is becoming the perimeter

When breaches are described as ‘logging in’ rather than ‘breaking in’, the technical meaning is clear. Identity becomes the control plane that decides whether a person is admitted, and a weak trust decision at that point can defeat downstream network and application controls. For human identity programmes, this pushes identity assurance closer to fraud analytics, device signal review, and continuous verification. The article’s emphasis on independent testing also reflects a market reality: assurance claims are not enough without evidence. Practical implication: treat identity verification as a live security control, not a one-time registration step.

Practical implication: move identity assurance into continuous, evidence-backed controls rather than one-time enrollment checks.

Threat narrative

Attacker objective: The attacker aims to convert fabricated identity signals into trusted access that can be monetised through account takeover, fraud, or persistent impersonation.

1. Entry begins when an attacker uses synthetic media, a virtual camera, or face-swap content to pose as a legitimate human during verification.
2. Credential access or abuse follows when weak liveness checks or compromised onboarding flows accept the impostor and create a trusted account state.
3. Impact occurs when the fake identity is used to open accounts, recover access, or move into fraud and account takeover at scale.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Deepfake resilience is now an identity assurance requirement, not a fraud specialist add-on. When synthetic media can imitate a person convincingly enough to satisfy weak verification, human IAM inherits a new failure mode: authenticity can no longer be inferred from appearance alone. The practical implication is that identity programmes must evaluate proofing strength as a security control, not just a user experience feature.

Biometric verification only changes the control outcome when it tests for live human presence. A face match without robust liveness, anti-injection, and anti-replay testing does not resolve the underlying trust problem, it only relocates it. For identity governance teams, that means assurance claims need to be tied to test evidence, not vendor terminology.

Identity has become the most attackable point in the digital trust chain because attackers now prioritise logging in over breaking in. That shift makes authentication the new perimeter for customer, workforce, and high-risk transaction flows. Practitioners should treat the verification layer as a core control domain alongside PAM, fraud, and account recovery governance.

Human authenticity is becoming a named control concept that security teams should manage explicitly. The article’s central pattern is not just deepfake exposure, but the need to distinguish a real, present person from a convincing synthetic proxy. That distinction belongs in policy, proofing design, and assurance testing, because identity trust breaks when the system confuses likeness with legitimacy.

Independent validation is becoming part of identity governance itself. In a market filled with self-asserted deepfake defences, teams need evidence from accredited testing, standards alignment, and repeatable adversarial validation. The practitioner conclusion is straightforward: if the control cannot survive synthetic impersonation tests, it is not yet ready to anchor high-risk human access.

From our research:

• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• The same identity trust problem is visible in non-human programmes, so practitioners should pair human verification controls with Ultimate Guide to NHIs for lifecycle, rotation, and offboarding governance.

What this signals

Human authenticity is becoming a governance boundary, not just a biometrics issue. As deepfakes get harder to distinguish from genuine interaction, identity teams need a programme that spans proofing, recovery, fraud response, and step-up verification. The practical risk is that organisations keep hardening the login screen while leaving the trust decision underneath it unchanged.

With 79% of organisations having experienced secrets leaks, and 77% of those incidents causing tangible damage, the broader lesson is that identity compromise now produces business impact quickly, whether the subject is a human user or a non-human credential. The control model needs to shift from static acceptance to evidence-backed assurance across the identity lifecycle.

Human authenticity debt: the accumulation of weak proofing, weak recovery, and untested biometric assumptions that lets synthetic impersonation bypass governance. Teams that recognise this pattern early can align it with standards such as NIST SP 800-63 Digital Identity Guidelines and design for stronger assurance at the points that matter most.

For practitioners

• Test proofing against synthetic media attacks Run red-team style checks for face swaps, replayed video, virtual camera injection, and other presentation-attack techniques before relying on biometric MFA for high-risk flows.
• Separate onboarding trust from account recovery trust Use stronger evidence requirements for first-time enrolment and for recovery, because attackers often target the weaker of the two steps to create durable access.
• Require liveness and anti-injection evidence Do not accept a biometric or selfie match as sufficient on its own. Verify that the control can detect live human presence and resist operating-system level video injection.
• Map high-assurance verification to risk-tiered access Reserve the strongest identity assurance for sensitive customer, workforce, and transaction flows where impersonation would create the most downstream damage.

Key takeaways

• Deepfake attacks are turning human identity verification into a live security control, not a one-time enrollment step.
• Independent evidence matters because biometric claims fail when systems confuse resemblance with real human presence.
• Practitioners should harden onboarding, recovery, and high-risk transactions with liveness, anti-injection, and risk-tiered assurance.

Key terms

• Deepfake Identity Attack: A deepfake identity attack uses synthetic audio, image, or video to impersonate a real person during authentication, onboarding, or account recovery. The goal is to satisfy identity checks with convincing media rather than with legitimate presence, making the trust decision the primary target.
• Liveness Detection: Liveness detection is a control that tries to confirm a real human is present during a biometric interaction. It reduces replay and spoofing risk by looking for signals that are hard for synthetic media to mimic, but it only works when the test is rigorous enough to resist modern injection and presentation attacks.
• Presentation Attack: A presentation attack is an attempt to fool a biometric system with a fake face, replayed video, mask, or other synthetic artefact. In practice, the control fails when it measures resemblance alone, because the attacker’s objective is to pass as the real user without actually being that person.
• Identity Assurance: Identity assurance is the confidence a system has that a claimed identity is real and valid for the intended transaction. For human identity programmes, it depends on proofing strength, recovery integrity, and the system’s ability to resist fraud, impersonation, and synthetic media throughout the lifecycle.

Deepen your knowledge

Deepfake-resistant identity verification is covered in the NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is building stronger assurance for customer or workforce access, the course is a useful place to start.

This post draws on content published by iProov: identity verification performance, deepfake threat intelligence, and product updates for 2025. Read the original.