By NHI Mgmt Group Editorial TeamPublished 2026-02-05Domain: Governance & RiskSource: Oz Forensics

TL;DR: Banks are losing customers to slow or inefficient onboarding, with Fenergo reporting that 70% of financial institutions globally lost clients in the last year for that reason, while synthetic fraud and injection attacks are making gesture-heavy liveness checks less reliable according to Oz Forensics. The real issue is not active versus passive biometrics, but whether onboarding is risk-based enough to balance conversion with modern fraud resistance.


At a glance

What this is: This is an analysis of why legacy liveness checks create onboarding friction while still leaving banks exposed to modern synthetic fraud and injection attacks.

Why it matters: It matters because identity teams must treat biometric onboarding as a risk orchestration problem, not a single control choice, if they want to protect conversion, fraud resistance, and customer trust.

By the numbers:

👉 Read Oz Forensics' analysis of the liveness paradox in digital banking


Context

Digital banking onboarding is supposed to establish trust quickly, but many institutions still use biometric flows that assume every customer needs the same level of friction. That creates a governance gap between security intent and user reality, especially when customer acquisition depends on identity proofing that is both strong and fast.

The primary problem is not liveness as a concept. It is the overuse of legacy active liveness in situations where risk is better handled through orchestration, attack detection, and step-up decisions. In identity terms, this is a human IAM and KYC control problem, not an NHI problem, because the subject is a person and the business outcome is customer onboarding.

The article's starting position is typical of many financial institutions: security teams often optimise for fraud resistance in isolation, while product teams optimise for conversion in isolation. The result is a broken middle where both legitimate customers and defenders pay the price.


Key questions

Q: How should banks balance liveness security with onboarding conversion?

A: Banks should stop treating liveness as a universal challenge-and-response step and instead align verification strength to applicant risk. Use low-friction capture where confidence is high, then escalate only when device, behavioural, or fraud signals justify it. That approach protects conversion without turning identity proofing into an obstacle course.

Q: Why do gesture-based liveness checks fail against modern fraud?

A: They fail because the challenge itself is predictable and can be mirrored by deepfakes or satisfied by injected video streams. A fraudster does not need to defeat every control if the system trusts gestures more than capture integrity. Modern assurance must inspect source quality, not just the appearance of life.

Q: What do security teams get wrong about biometric onboarding?

A: Teams often assume biometric onboarding is a single control when it is really a chain of decisions. Face match, liveness, device trust, and fraud context all answer different questions. If those signals are not orchestrated together, a bank can create both unnecessary friction and avoidable exposure.

Q: Who should be accountable for risky onboarding flows?

A: Accountability should sit across identity, fraud, product, and risk leadership because onboarding affects trust, growth, and fraud loss at the same time. If one team owns only conversion and another owns only fraud, the organisation will optimise locally and fail globally. Shared governance is the only workable model.


Technical breakdown

Why active liveness breaks down in digital onboarding

Active liveness depends on user gestures such as blinking, head turns, or device movement to prove a live person is present. That approach was useful when spoofing was more rudimentary, but it creates two failure modes today. First, it adds avoidable friction for legitimate users with poor lighting, accessibility constraints, or weak device performance. Second, it can be defeated by more realistic synthetic media because the challenge itself is predictable. In banking, that means the control becomes both less usable and less discriminating. Practical implication: treat gesture-based liveness as one signal in a risk engine, not the only gate in onboarding.

Practical implication: treat gesture-based liveness as one signal in a risk engine, not the only gate in onboarding.

How injection attack detection changes the assurance model

Injection attacks bypass the camera path by feeding synthetic video into the device stream, often through virtual camera software or emulator environments. Detection therefore has to inspect the integrity of the signal, not just the face on screen. That is a different assurance problem from spotting a spoofed image. Metadata checks, sensor validation, and stream integrity analysis help establish whether the capture originated from a physical device camera rather than an injected source. Practical implication: build verification around data-path integrity as well as biometric match quality.

Practical implication: build verification around data-path integrity as well as biometric match quality.

What risk-based orchestration means for identity proofing

Risk-based orchestration means the onboarding flow adapts to context rather than forcing one liveness method on every applicant. A low-risk interaction may need minimal friction, while a suspicious session may need stronger attack detection or a different verification path. This is closer to modern identity governance because it aligns control strength with observed risk, not with a static rule. The value is not in replacing all liveness methods. It is in deciding when each method is appropriate and what telemetry should drive that decision. Practical implication: define onboarding decision paths by risk signal, not by legacy process habit.

Practical implication: define onboarding decision paths by risk signal, not by legacy process habit.


Threat narrative

Attacker objective: The attacker aims to open a trusted financial account using synthetic identity evidence while avoiding detection by liveness controls.

  1. Entry occurs when a fraudster starts the onboarding journey through a banking app and submits synthetic or manipulated identity data through a video capture flow.
  2. Escalation occurs when gesture-based checks are satisfied by deepfake puppetry or when a virtual camera injects synthetic video that bypasses the physical sensor path.
  3. Impact occurs when the institution accepts a fraudulent applicant as legitimate, creating account-opening fraud, reputational loss, and downstream financial crime exposure.
  • MITRE ATT&CK Enterprise Matrix — MITRE ATT&CK Enterprise — adversary tactics and techniques, threat detection, attack chain mapping, credential access, lateral movement, privilege escalation.
  • Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Legacy onboarding liveness creates a trust problem, not just a usability problem. Banks often talk about friction as if it were a customer experience issue alone, but every unnecessary step also changes fraud economics. When legitimate users abandon the flow, the institution loses revenue and the security team inherits a narrower, more failure-prone verification surface. The practitioner conclusion is that onboarding controls must be judged by both assurance value and conversion cost.

Risk-based orchestration is the right control pattern because biometric assurance is contextual. The article correctly points away from a false choice between active and passive liveness. Different users, devices, and fraud patterns call for different capture and detection paths, which is why one-size-fits-all identity proofing fails. Practitioners should think in terms of decisioning, not single-product replacement.

Injection attack detection exposes the gap between face validation and source validation. A system can recognise a live face and still accept a fabricated stream if it never verifies the capture path. That is the named concept here: capture-path integrity, meaning the control must prove the image came from a physical sensor before it can trust the biometric result. The practitioner conclusion is that source integrity is now part of identity assurance, not a separate technical detail.

Biometric onboarding now sits inside a broader IAM and KYC governance model. The debate is no longer about whether liveness exists, but about how it is orchestrated across customer risk, fraud telemetry, and verification policy. That makes onboarding design a governance issue for security, fraud, and digital identity teams together. The practitioner conclusion is that lifecycle thinking must extend from enrollment through ongoing trust decisions.

Financial institutions should expect biometric fraud pressure to keep rising as synthetic media improves. The article's figures on onboarding abandonment and synthetic fraud cost show that this is already a business risk, not a future concern. Banks that keep treating onboarding as a fixed gate will keep paying for both friction and fraud. The practitioner conclusion is to re-evaluate assurance design before fraud actors make that decision for them.

From our research:

  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
  • Another finding from that report shows that only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared with nearly 1 in 4 for securing human identities.
  • That confidence gap matters here because onboarding flows that mix identity proofing, fraud detection, and delegated access are only as strong as the governance behind them, so review Top 10 NHI Issues for the adjacent control patterns.

What this signals

Capture-path integrity: banking teams should treat source validation as a first-class identity control, because a biometric that looks correct can still be untrustworthy if the video stream is injected. As synthetic media improves, the programme signal to watch is not only pass or fail, but how often the control has to fall back to manual review or secondary verification.

The governance lesson is broader than biometrics. Any identity process that assumes one fixed friction level for all users will either leak risk or suppress conversion, and both outcomes create business pressure. Teams responsible for KYC and customer IAM should therefore align onboarding policy with risk scoring, device trust, and fraud telemetry rather than legacy flow design.

With 60% of NHIs being overused in related identity environments, per the 2025 State of NHIs and Secrets in Cybersecurity, the operational lesson is clear: shared trust assumptions scale poorly when the environment changes quickly. The same mindset applies to human onboarding, where static verification design will not keep up with dynamic fraud patterns.


For practitioners

  • Split onboarding by risk tier Define distinct identity proofing paths for low-risk, medium-risk, and high-risk applicants so that every customer does not receive the same biometric burden. Use fraud telemetry, device signals, and applicant context to choose the path before the session becomes frustrating.
  • Add capture-path validation to biometric flows Check whether the video stream came from a physical camera sensor rather than a virtual camera or injected source. Build sensor integrity checks into the workflow so biometric matching is not the only trust signal.
  • Measure abandonment alongside false accepts Track onboarding completion, abandonment rate, and challenge failure by device type, lighting condition, and country. If the security flow protects fraud but suppresses legitimate conversion, the control is not working as intended.
  • Update fraud playbooks for synthetic media Train onboarding and fraud teams to recognise puppetry, deepfake manipulation, and emulator-driven capture abuse. The response should include additional verification paths, not just manual review after the fact.

Key takeaways

  • Legacy liveness checks can hurt both conversion and security when they are applied without risk context.
  • The most relevant technical shift is from face validation to capture-path integrity and orchestration.
  • Banks need onboarding governance that balances fraud resistance, customer experience, and accountability across teams.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST SP 800-63, NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the technical controls, while GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST SP 800-63SP 800-63AIdentity proofing guidance is directly relevant to customer onboarding and liveness verification.
NIST CSF 2.0PR.AC-1Identity proofing and access establishment are part of the broader governance problem.
NIST Zero Trust (SP 800-207)Zero trust assumptions are challenged when onboarding trusts unverified streams.
GDPRArt.32Biometric onboarding processes often involve personal data and security obligations.

Map onboarding flows to SP 800-63A and align assurance steps to the applicant risk profile.


Key terms

  • Biometric Liveness: Biometric liveness is the control that checks whether a real person is present during capture. In digital banking, it helps separate genuine applicants from spoofing attempts, but it is only one signal in a broader identity proofing decision and should not be treated as proof of trust by itself.
  • Injection Attack Detection: Injection attack detection identifies whether a video or sensor feed has been artificially inserted into the capture stream. It matters because a system can process a realistic face without ever seeing a physical camera image, which breaks the assumption that biometric evidence came from a live capture.
  • Risk-Based Orchestration: Risk-based orchestration is the practice of adjusting identity verification steps to match the risk level of the session or applicant. Instead of forcing one liveness method on everyone, the flow uses contextual signals to choose the right combination of friction, assurance, and fallback handling.
  • Capture-Path Integrity: Capture-path integrity is the assurance that biometric data came from an expected physical device and not from a synthetic or injected source. This concept matters because matching a face is not enough if the input stream itself can be manipulated before the control sees it.

What's in the full article

Oz Forensics' full article covers the operational detail this post intentionally leaves for the source:

  • The multi-frame liveness approach used to reduce friction while maintaining biometric assurance.
  • The Injection Attack Detection logic that validates whether the stream came from a physical camera sensor.
  • The reference to CEN/TS 18099 and the independent BixeLab testing context behind the detection claims.
  • The practical distinction between active, passive, and orchestrated liveness in banking onboarding.

👉 Oz Forensics' full post covers the biometric orchestration model, injection attack detection, and liveness trade-offs in more depth.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-02-05.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org