TL;DR: Identity verification vendors are converging on similar deepfake claims, but adversarial testing exposes whether fraud controls actually hold under injection attacks, synthetic identities, and edge-case policy gaps, according to Incode. In a market where 75% of enterprise buying decisions happen outside IT, buyer diligence now has to include how the system behaves under realistic fraud pressure.
NHIMG editorial — based on content published by Incode: Why Your IDV Vendor Needs Adversarial Testing
By the numbers:
- 75% of enterprise tech buying decisions happen outside of the IT department.
- Across 13 distinct attack types, zero bypasses were achieved across Incode's mobile verification flows.
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.
Questions worth separating out
Q: How should organisations evaluate identity verification vendors for fraud resilience?
A: Evaluate them on adversarial evidence, not just certification or analyst recognition.
Q: Why do certifications fail to prove real-world IDV security?
A: Certifications measure performance against defined test conditions, but fraudsters do not attack only the benchmark.
Q: What do security teams get wrong about deepfake detection?
A: They often assume deepfake detection is a single control, when it is actually a stack of controls.
Practitioner guidance
- Require adversarial testing evidence in IDV evaluations Ask vendors to show how they have been tested against injection attacks, synthetic identities, replay, rooted devices, and document fraud across full onboarding and re-verification flows.
- Test policy exceptions as part of the control surface Include manual review paths, exception handling, regional threshold differences, and transaction-based liveness logic in red-team scenarios so process drift does not become a bypass path.
- Separate presentation attacks from software injection risk Validate camera-fed spoof resistance and backend pipeline integrity independently, because controls that stop one can still miss the other.
What's in the full article
Incode's full article covers the operational detail this post intentionally leaves for the source:
- The vendor's four-question evaluation framework for IDV buyers, including how to separate analyst recognition from adversarial proof.
- The iBeta Level 1, Level 2, and Level 3 distinctions and why those certifications do not cover software injection attacks.
- The SocialProof Security test setup, including the 13 attack types used against mobile verification flows.
- The vendor's explanation of how internal fraud red teams turn external findings into product and policy changes.
👉 Read Incode's analysis of why IDV vendors need adversarial testing →
IDV adversarial testing: are your controls keeping up?
Explore further
Fraud red teaming is becoming the missing proof layer for identity verification governance. Certification and analyst recognition answer procurement questions, but they do not show how controls behave under evolving attacker tradecraft. That leaves a governance gap where organisations confuse benchmark performance with operational resilience. The right standard is whether a vendor has been tested against live adversarial behavior, not whether it can pass a static lab scenario.
A question worth separating out:
Q: Who should own adversarial testing findings in identity programmes?
A: The identity team, fraud team, and security team should share ownership, but one accountable owner must track remediation. Findings should feed product changes, policy updates, and runbook revisions, not sit in a report. That accountability is especially important when buying decisions are decentralised and the trust boundary spans multiple business functions.
👉 Read our full editorial: Adversarial testing is now the IDV trust test that matters