Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Deepfakes and identity verification: are legacy controls keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9059
Topic starter  

TL;DR: Synthetic impersonation is shifting breaches toward login and verification abuse as Gartner found 62% of organisations experienced a deepfake attack in the past year, while iProov says it surpassed one million daily transactions in 2025; legacy identity controls are now being tested at the point of human authenticity, not at the network edge.

NHIMG editorial — based on content published by iProov: identity verification performance, deepfake threat intelligence, and product updates for 2025

By the numbers:

Questions worth separating out

Q: How should organisations handle deepfake risk in human identity verification?

A: Treat deepfake risk as a verification integrity issue, not just a fraud problem.

Q: Why do biometric controls still fail against impersonation attacks?

A: Biometrics fail when they verify resemblance instead of presence.

Q: How can security teams know whether identity verification is actually working?

A: Look for evidence that the control survives adversarial testing, not just internal demos.

Practitioner guidance

  • Test proofing against synthetic media attacks Run red-team style checks for face swaps, replayed video, virtual camera injection, and other presentation-attack techniques before relying on biometric MFA for high-risk flows.
  • Separate onboarding trust from account recovery trust Use stronger evidence requirements for first-time enrolment and for recovery, because attackers often target the weaker of the two steps to create durable access.
  • Require liveness and anti-injection evidence Do not accept a biometric or selfie match as sufficient on its own.

What's in the full analysis

iProov’s full report covers the operational detail this post intentionally leaves for the source:

  • Threat Intelligence Report 2025 findings on native virtual camera attacks and face swap growth.
  • Independent validation details for deepfake resilience testing against accredited standards.
  • Customer use cases across workforce identity, travel, financial services, and property fraud.
  • Product-specific verification capabilities and deployment context for high-assurance identity flows.

👉 Read iProov’s full analysis of deepfake-driven identity verification risk →

Deepfakes and identity verification: are legacy controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8498
 

Deepfake resilience is now an identity assurance requirement, not a fraud specialist add-on. When synthetic media can imitate a person convincingly enough to satisfy weak verification, human IAM inherits a new failure mode: authenticity can no longer be inferred from appearance alone. The practical implication is that identity programmes must evaluate proofing strength as a security control, not just a user experience feature.

A few things that frame the scale:

  • 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.

A question worth separating out:

Q: Who is accountable when a deepfake bypasses identity controls?

A: Accountability usually sits with the team that owns identity assurance, fraud controls, and recovery design together, because the failure spans multiple governance boundaries. If the programme allowed weak proofing, weak liveness, or weak recovery paths, the control owner must treat that as an identity governance gap, not an isolated incident.

👉 Read our full editorial: Identity verification must now absorb deepfakes and synthetic impersonation



   
ReplyQuote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8498
 

Deepfake resilience is now an identity assurance requirement, not a fraud specialist add-on. When synthetic media can imitate a person convincingly enough to satisfy weak verification, human IAM inherits a new failure mode: authenticity can no longer be inferred from appearance alone. The practical implication is that identity programmes must evaluate proofing strength as a security control, not just a user experience feature.

A few things that frame the scale:

  • 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.

A question worth separating out:

Q: Who is accountable when a deepfake bypasses identity controls?

A: Accountability usually sits with the team that owns identity assurance, fraud controls, and recovery design together, because the failure spans multiple governance boundaries. If the programme allowed weak proofing, weak liveness, or weak recovery paths, the control owner must treat that as an identity governance gap, not an isolated incident.

👉 Read our full editorial: Identity verification must now absorb deepfakes and synthetic impersonation



   
ReplyQuote
Share: