By NHI Mgmt Group Editorial TeamDomain: Governance & RiskSource: Oz ForensicsPublished September 24, 2025

TL;DR: Indonesia’s push toward financial inclusion is being slowed by onboarding friction and fraud, with nearly one in three applicants abandoning bank or card applications and 23% of consumers reporting losses to real-time payment scams, according to Oz Forensics. The governance issue is not just speed versus security, but whether identity verification can create trust at the first interaction without weakening fraud controls.


At a glance

What this is: The article argues that secure onboarding is the deciding point for financial inclusion in Indonesia, because weak identity verification and fraud pressure are undermining customer trust.

Why it matters: It matters to IAM and identity practitioners because onboarding is where human identity assurance, fraud resistance, and user experience collide, and the same trust design patterns increasingly shape NHI and autonomous access governance.

By the numbers:

👉 Read Oz Forensics' analysis of secure onboarding and financial inclusion in Indonesia


Context

Indonesia’s secure onboarding problem is a human identity governance problem first, and a fintech problem second. When remote identity verification is slow, confusing, or easy to attack, institutions lose applicants before they ever become customers, which weakens both financial inclusion and fraud resilience.

The article frames onboarding as the first trust decision in the relationship. That framing matters because the same control tension shows up across IAM programmes: if identity proofing and verification are too brittle, users abandon the process; if they are too weak, fraudsters exploit the gap.

The starting position described here is typical of fast-growing digital finance markets, where growth pressure often outruns identity assurance design.


Key questions

Q: How should financial institutions secure remote onboarding without creating too much friction?

A: Use layered identity proofing that combines document checks, liveness detection, and risk-based escalation. Keep the lowest-friction path for low-risk applicants, but require stronger verification when signals suggest spoofing, device abuse, or synthetic identity patterns. The goal is to preserve customer completion while making it materially harder for fraudsters to pass.

Q: Why do onboarding journeys fail when identity assurance is too heavy?

A: Applicants abandon flows when the process signals distrust through repeated questions, long wait times, or multiple retries. In digital finance, that abandonment is not just a user-experience issue. It becomes a governance failure because legitimate customers never complete identity proofing, and insecure workarounds often follow.

Q: What do security teams get wrong about biometric verification?

A: They often treat biometric match accuracy as the whole control. In practice, a system can match a face correctly and still be vulnerable if it cannot detect spoofing at capture time. Liveness, presentation attack resistance, and exception handling are what separate usable verification from fraud exposure.

Q: Who is accountable when onboarding controls block legitimate users or let fraud through?

A: Accountability usually sits with the identity, fraud, and customer operations owners together, because onboarding is a shared control point. If the process excludes legitimate applicants, the business pays in lost conversion. If it admits synthetic or spoofed identities, the organisation absorbs fraud loss and trust damage.


Technical breakdown

Biometric onboarding as an identity proofing control

Biometric onboarding combines identity proofing and liveness checks so a system can distinguish a real, present person from a replayed image, video, or synthetic presentation. In financial onboarding, the core control objective is not facial recognition alone, but assurance that the applicant is physically present and that the identity claim is tied to a live interaction. That shifts the security model from static credentials to verifiable presence. The article’s example uses selfie-based verification as a single-step control path, which reduces user friction while strengthening fraud resistance.

Practical implication: Treat biometric onboarding as a control in the identity proofing chain, not as a standalone convenience feature.

Liveness detection and deep fake resistance

Liveness detection checks whether the biometric sample comes from a live person rather than a captured or generated artifact. This matters because modern fraud attempts increasingly use photos, screen replays, and deep fakes to bypass remote onboarding systems. The technical issue is presentation attack detection, not just match accuracy. A system can be highly accurate at comparing faces and still fail if it cannot detect spoofing at capture time. That is why false acceptance rate is only meaningful when paired with strong liveness assurance and controlled capture conditions.

Practical implication: Measure spoof resistance and liveness performance together, otherwise biometric accuracy numbers can mask onboarding fraud exposure.

Onboarding friction as a governance signal

Excessive questions, long completion times, and repeated retries are not just user-experience issues. They are governance signals that the identity process is misaligned with risk, because applicants will abandon legitimate flows when assurance steps are too burdensome. In regulated environments, security and conversion are often treated as opposing goals, but the real question is whether the control design can preserve trust without increasing failure rates. In practice, poor onboarding becomes a form of access exclusion, while overly permissive onboarding becomes an invitation to fraud.

Practical implication: Use abandonment, retry, and completion-time data as security indicators, not only as product metrics.


Threat narrative

Attacker objective: The attacker aims to open fraudulent accounts and exploit payment or banking access while bypassing identity assurance controls.

  1. Entry occurs at remote onboarding when fraudsters submit forged or synthetic identity evidence through digital application flows.
  2. Escalation happens when weak verification allows the attacker to progress from applicant to approved account without a real-person assurance barrier.
  3. Impact is account creation fraud that erodes customer trust, increases direct financial loss, and slows legitimate inclusion efforts.
  • MITRE ATT&CK Enterprise Matrix — MITRE ATT&CK Enterprise — adversary tactics and techniques, threat detection, attack chain mapping, credential access, lateral movement, privilege escalation.
  • Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Human identity proofing has become a trust gate, not a formality: When onboarding is the first real security interaction, it determines whether the institution can scale inclusion without importing fraud at the front door. The article shows that speed and assurance are no longer separate design goals. Practitioners should treat onboarding as a governance control with measurable abandonment and fraud outcomes.

Biometric verification only works when presentation attack resistance is built in: Face matching without liveness detection leaves a gap that photos, videos, and deep fakes can exploit. The field should stop treating biometric accuracy as the primary metric and start treating spoof resistance as the actual assurance requirement. The implication is that identity proofing programmes must be evaluated on attack tolerance, not just match success.

Onboarding friction is an access-control failure mode: A process that drives away legitimate applicants is not merely inconvenient, it is a control design problem that undermines adoption and pushes users toward weaker channels. That matters across IAM because trust-breaking friction often leads to shadow workarounds, manual exceptions, and inconsistent verification standards. Practitioners should examine where security design is leaking business demand into insecure alternatives.

Secure onboarding is now part of financial inclusion strategy: The article makes clear that inclusion cannot be separated from fraud resilience. In regulated digital finance, identity proofing has to support high-volume growth, not just block obvious attacks. Teams should align onboarding architecture with fraud patterns, customer abandonment data, and the operational realities of remote verification.

First-interaction trust is the named concept that best captures the issue: The opening identity exchange sets the security tone for the entire relationship. If that first interaction feels slow, opaque, or unsafe, users disengage and institutions lose both customers and control. Practitioners should design for trust formation at first contact, not after the account is already live.

From our research:

  • 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to the Ultimate Guide to NHIs.
  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
  • For practitioners: Explore Ultimate Guide to NHIs , 2025 Outlook and Predictions for the next control pressures on identity programmes.

What this signals

First-interaction trust will increasingly define identity architecture. As more onboarding moves digital, organisations will need to decide whether the first verification step is a conversion hurdle or a control point. The programmes that win will be the ones that treat trust formation and fraud resistance as the same design problem, not competing workstreams.

The next governance shift is toward measurable identity assurance at the point of capture, not after account creation. That implies tighter linkage between onboarding data, fraud signals, and downstream access decisions, including the controls that later govern NHI and delegated access flows.

For identity teams, the operational lesson is simple: if your onboarding flow cannot withstand spoofing while remaining usable, it will either shed legitimate customers or invite abuse. Neither outcome is acceptable in a financial inclusion programme.


For practitioners

  • Separate proofing from matching Assess whether your onboarding flow includes both face comparison and live-person assurance. If the system only verifies that a face matches a record, it is exposed to spoofing through images, video replay, or synthetic media.
  • Track abandonment as a security metric Measure application drop-off at each onboarding step, especially when forms exceed 10 questions or take longer than 10 minutes. High abandonment can signal that security controls are creating shadow pathways or excluding legitimate users.
  • Validate liveness under real attack conditions Test the onboarding stack against replayed images, screen captures, and generated faces, not only clean sample data. The control should be judged on whether it can stop presentation attacks in the same workflow where legitimate users are verified.
  • Align fraud controls with inclusion targets Map onboarding friction, fraud loss, and approval rates to business goals so security and inclusion are evaluated together. This prevents teams from overcorrecting toward either pure convenience or pure denial.

Key takeaways

  • Secure onboarding is the control point where financial inclusion and fraud resistance either reinforce each other or collide.
  • The article’s evidence shows that applicant abandonment and real-time payment scams are already shaping trust in Indonesia’s digital finance market.
  • Practitioners should evaluate onboarding by spoof resistance, abandonment, and completion time together, not as separate product metrics.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST SP 800-63, NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the technical controls, while GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST SP 800-63SP 800-63AIdentity proofing and onboarding are the core subject of this article.
NIST CSF 2.0PR.AC-1The article centres on identity verification as access entry control.
NIST Zero Trust (SP 800-207)Secure onboarding supports zero-trust identity assurance at the front door.
GDPRArt.32Biometric onboarding involves personal data and requires security by design.

Align onboarding with zero-trust principles so account creation is not treated as implicit trust.


Key terms

  • Identity Proofing: Identity proofing is the process of establishing that a person is who they claim to be before the organisation grants access or opens an account. In remote onboarding, it combines evidence collection, verification, and risk checks to reduce impersonation and synthetic identity fraud.
  • Liveness Detection: Liveness detection is a biometric control that tests whether the sample comes from a live person present at capture time. It is designed to resist spoofing attempts such as printed photos, replayed video, masks, and some forms of synthetic media.
  • Presentation Attack: A presentation attack is an attempt to fool a biometric system by presenting forged or altered biometric evidence at the sensor. In onboarding, the attacker tries to look like a legitimate applicant without actually being the real person the system is expecting.
  • Onboarding Friction: Onboarding friction is the effort, delay, or complexity a user experiences while completing identity verification and account creation. Excessive friction weakens conversion, but poorly designed reductions in friction can create openings for fraud and account abuse.

What's in the full article

Oz Forensics' full article covers the operational detail this post intentionally leaves for the source:

  • How the biometric onboarding flow is positioned to reduce abandonment in remote application journeys.
  • The specific performance claims behind the two-second capture and first-attempt success rate mentioned in the article.
  • The anti-fraud rationale for face liveness detection when applicants use photos, videos, or deep fakes.
  • The broader business argument for tying identity verification to financial inclusion outcomes.

👉 Oz Forensics' full article expands on the onboarding trust argument and the biometric security claims behind it.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM or identity governance programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org