People verification and human-to-human trust in the AI era

TL;DR: People verification replaces voice, face, and call-centre judgment with cryptographic human-to-human verification using hardware-bound keys, a default 60-second single-use artifact, and provenance-marked attributes, according to Scramble ID. That shift matters because AI-generated impersonation has made traditional human verification signals probabilistic and increasingly defeatable.

NHIMG editorial — based on content published by Scramble ID: What Is People Verification?

By the numbers:

• The Arup Hong Kong incident in early 2024 made the new pattern public: a finance employee transferred $25.6 million after a video conference in which every other participant was an AI-generated deepfake.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.

Questions worth separating out

Q: How should security teams handle human verification when voice and video can be faked?

A: Treat voice and video as untrusted indicators, not proof.

Q: When is a callback no longer a safe way to confirm identity?

A: A callback is no longer safe when the decision depends on recognising a voice, face, or familiar behaviour that AI can imitate.

Q: What should identity teams do with provenance when sharing user attributes?

A: Identity teams should preserve provenance all the way through the workflow.

Practitioner guidance

• Replace recognition-based callbacks for high-risk requests Use cryptographic human verification for payment changes, access reset requests, vendor onboarding, and executive approvals where a voice or face could otherwise be spoofed.
• Separate proofing from confirmation in policy Write support and IAM procedures so enrollment, proofing, and moment-of-confirmation are distinct steps with different assurance requirements.
• Treat shared attributes as provenance-scoped Require downstream systems to preserve whether an attribute was verified or self-asserted, especially for directory updates, delegated admin requests, and vendor trust workflows.

What's in the full article

Scramble ID's full article covers the operational detail this post intentionally leaves for the source:

• A step-by-step breakdown of the presenter and verifier flow across QR, type code, and SMS deep link channels.
• The underlying device and session-binding mechanics that make replay and relay attacks ineffective.
• Attribute catalog details showing which fields are verified, self-asserted, or policy-scoped.
• The security and accessibility design choices that govern how the verification ceremony behaves in practice.

👉 Read Scramble ID's full explanation of people verification and human-to-human trust →

People verification and human-to-human trust in the AI era?

Explore further

View Full Forum →  |  NHI Foundation Course →