Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI fraud, possession factors, and the identity gap teams are missing


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11631
Topic starter  

TL;DR: AI has cut the cost of phishing, voice cloning, deepfake documents, and real-time relay attacks to near zero, making knowledge-based authentication and SMS OTP increasingly unreliable, according to IDlayr. Possession-based, device or network-verified controls now matter because they remove the human from the authentication step and reduce AI’s ability to social-engineer access.

NHIMG editorial — based on content published by IDlayr: L'intelligenza artificiale ha cambiato le regole delle frodi

Questions worth separating out

Q: How should security teams replace SMS OTP in high-risk identity flows?

A: Security teams should phase out SMS OTP first in recovery, account takeover prevention, and payment-adjacent journeys, where social engineering has the highest payoff.

Q: Why do AI-enabled attacks weaken knowledge-based authentication so quickly?

A: AI lowers the cost of convincing a person to reveal a secret or complete a fraudulent challenge.

Q: What breaks when identity verification depends on the user spotting fraud?

A: The control fails when the person being protected becomes the detection layer.

Practitioner guidance

  • Replace SMS OTP on high-risk journeys Move password resets, account recovery, payout approval, and sensitive profile changes away from SMS OTP and other user-entered secrets.
  • Bind authentication to device and network context Use possession-based checks that verify the SIM or device at the network layer so the control does not depend on a user reading or typing a code.
  • Redesign recovery and step-up controls Treat recovery, SIM swap handling, and step-up challenges as the highest-risk identity moments.

What's in the full article

IDlayr's full article covers the operational detail this post intentionally leaves for the source:

  • Practical explanation of silent network authentication and how the verification flow works end to end
  • Direct comparison of SMS OTP, passkeys, and SIM-based possession factors for fraud resistance
  • Specific examples of how mobile trust can be extended into agentic commerce and transaction approval
  • FAQ-level detail on when device-bound verification is stronger than knowledge-based or biometric checks

👉 Read IDlayr's analysis of AI fraud, possession factors, and mobile identity →

AI fraud, possession factors, and the identity gap teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11186
 

AI fraud has broken the assumption that a person can safely mediate authentication in real time. Legacy identity programmes were designed for a world where users could distinguish legitimate requests from malicious ones and where challenge responses were slow enough to evaluate. That assumption fails when phishing, voice cloning, and relay automation can complete a fraud path in seconds. The implication is that human-in-the-loop authentication is no longer a reliable control boundary for high-risk access.

A few things that frame the scale:

  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
  • Only 44% of developers are reported to follow security best practices for secrets management, which helps explain why identity controls that rely on human discipline continue to fail under pressure.

A question worth separating out:

Q: Who is accountable when AI agents initiate transactions on behalf of users?

A: Accountability should remain with the organisation that authorises the transaction path, but the trust chain must prove which user, device, and agent were involved. Without that binding, it becomes hard to separate legitimate delegated action from hijacked or synthetic activity. That is why transaction provenance needs to be part of identity governance.

👉 Read our full editorial: AI fraud is breaking legacy identity controls and SMS OTP



   
ReplyQuote
Share: