TL;DR: Identity verification platforms now have to be measured against synthetic media and capture-layer abuse, not legacy fraud assumptions, according to Incode. The company says its identity verification platform met government-defined goals in DHS S&T’s RIVR Track 2 for liveness detection, document verification, and injection attack resistance, a controlled test focused on deepfakes, fraudulent documents, and bypass attempts.
NHIMG editorial — based on content published by Incode: Incode ranks among top performers in DHS S&T RIVR Track 2 document validation
Questions worth separating out
Q: How should security teams evaluate identity verification against deepfake attacks?
A: They should test verification against the attack classes that matter in production, including 2D spoofs, video replay, 3D artifacts, and synthetic faces.
Q: Why do synthetic documents create governance risk for IAM and fraud teams?
A: Synthetic documents can turn a failed identity check into a trusted enrolment event if verification is treated as a binary pass or fail.
Q: What breaks when capture pipelines allow injection attacks?
A: The trust boundary breaks before the biometric or document model even evaluates the input.
Practitioner guidance
- Test capture integrity against real attack classes Include 2D spoofs, 3D artifacts, video replays, synthetic documents, and injected imagery in your assurance testing.
- Separate control ownership across liveness, documents, and pipeline security Assign distinct owners for biometric liveness, document authenticity, and capture-channel security so failures can be triaged quickly.
- Require adversarial evidence in procurement Ask IDV suppliers to show tested performance against injection attacks and synthetic media, not just benchmark scores.
What's in the full article
Incode’s full post covers the operational detail this post intentionally leaves for the source:
- Performance context for liveness detection against the specific attack classes used in RIVR Track 2.
- The evaluation framing used by DHS S&T and why controlled testing matters for regulated identity workflows.
- The distinction between document verification failures and capture-layer injection attacks in practical deployments.
- How Incode positions external validation as part of its broader identity assurance approach.
👉 Read Incode’s account of DHS RIVR Track 2 identity verification results →
RIVR Track 2 and deepfake resistance: what IDV teams need now?
Explore further
Identity verification is now a capture-integrity problem, not just a document-check problem. RIVR Track 2 highlights a shift that many programmes still understate: attackers are targeting the ingestion layer, not only the identity artefact. When injected imagery or synthetic documents can enter the pipeline, assurance fails before downstream policy logic even begins. IDV, fraud, and IAM teams need to treat capture integrity as part of identity governance, not as a vendor feature.
A question worth separating out:
Q: Which controls matter most when identity verification feeds access decisions?
A: The most important controls are capture integrity, documented assurance thresholds, and step-up checks for low-confidence outcomes. If verification supports access, provisioning, or account recovery, the result should flow into IAM policy rather than being treated as a standalone approval. That keeps weak identity evidence from becoming a permanent access decision.
👉 Read our full editorial: Identity verification under AI attack: what RIVR Track 2 showed