Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI-enabled fraud and mobile possession factors: are your controls keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11631
Topic starter  

TL;DR: AI has pushed the cost of phishing, voice cloning, and deepfake document fraud toward near zero, while over half of fraud cases now involve some form of AI and phishing volumes rose 400% in early 2025, according to Gen Digital and Feedzai. The structural answer is not better human judgment, but possession-based authentication that removes secrets, biometrics, and user action from the trust decision.

NHIMG editorial — based on content published by IDlayr: La IA ha cambiado las reglas del fraude: es hora de replantearse la identidad digital

By the numbers:

Questions worth separating out

Q: How should security teams reduce AI-enabled account takeover risk in authentication flows?

A: They should remove reliance on user-entered secrets wherever the attacker can impersonate the conversation or the interface.

Q: Why do SMS OTP and voice checks fail more often against AI-driven fraud?

A: Because both depend on a person recognising deception and acting correctly under time pressure.

Q: What do organisations get wrong about possession-based authentication?

A: They often treat it as a nicer user experience rather than a structural trust change.

Practitioner guidance

  • Replace human-mediated OTP paths Move high-risk authentication journeys away from SMS codes, voice callbacks, and knowledge questions where users can be socially engineered or relayed in real time.
  • Map fraud journeys to the identity control surface Trace where the user is asked to read, type, approve, or verbally confirm identity and mark each step as an attacker opportunity.
  • Adopt device- and network-bound proof Prefer factors that verify the physical device or SIM at the network layer so the check cannot be copied from a prompt or replayed from a fake site.

What's in the full article

IDlayr's full article covers the operational detail this post intentionally leaves for the source:

  • A deeper explanation of silent network authentication and how the verification flow works across the mobile network and device.
  • The FAQ discussion of why mainstream passkeys behave differently from true device-bound possession factors.
  • Examples of how possession-based authentication can replace SMS OTP in recovery and step-up journeys.
  • The article’s framing for agent-led commerce and why verified identity links matter when transactions become partially automated.

👉 Read IDlayr's analysis of AI fraud, mobile possession, and identity trust →

AI-enabled fraud and mobile possession factors: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11186
 

Knowledge factors have become a liability when AI can industrialise deception. Passwords, PINs, OTPs, and security questions were designed for a world where attackers had to work one victim at a time. That assumption collapses when AI can generate credible lures, relay captures in real time, and repeat the attempt at scale. The implication is that identity assurance can no longer depend on the user correctly detecting fraud under pressure.

A few things that frame the scale:

  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
  • Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.

A question worth separating out:

Q: How do teams decide when to use mobile network verification instead of human challenge steps?

A: Use mobile network verification when the journey is high value, easily phished, or likely to attract automated fraud. It is most appropriate where the organisation needs a silent proof of possession and where asking the user to confirm identity would create more exposure than assurance.

👉 Read our full editorial: AI-enabled fraud is breaking identity assumptions in consumer auth



   
ReplyQuote
Share: