TL;DR: Traditional MFA that stops at login no longer covers the full customer journey as phishing, session hijacking, contact center fraud, and SMS man-in-the-middle attacks shift risk beyond the front door, according to Authsignal and iProov. The practical lesson is that authentication must become journey-based, risk-aware, and resistant to replay, not just stronger at sign-in.
NHIMG editorial — based on content published by Authsignal: Webinar July 2025 - Building high-trust in the age of AI-powered fraud
By the numbers:
- Face swap attacks surged by 300% in the last year.
- The number of attack tools increased by 15%.
- A face swap attack can be performed for just $60 using a standard MacBook Air and readily available tools.
Questions worth separating out
Q: How should security teams design authentication beyond login for customer journeys?
A: They should map every identity-sensitive step after login, then set an assurance level for each one.
Q: Why do passkeys reduce phishing risk more effectively than SMS OTPs?
A: Passkeys use cryptographic keys bound to the legitimate domain, so they cannot be reused on a phishing site the way an SMS code can.
Q: What do security teams get wrong about biometric authentication?
A: They often treat biometrics as a stand-alone proof of identity when they work best as part of a broader assurance chain.
Practitioner guidance
- Map authentication controls across the full customer journey Inventory every place where identity is rechecked, including onboarding, recovery, device change, dormant account reactivation, contact centre flows, and high-value transactions.
- Deploy passkeys for phishing-resistant primary authentication Use passkeys where the current control objective is to prevent credential phishing, replay, and SMS interception.
- Bind biometric verification to trusted onboarding evidence Link biometric enrolment to the strongest available identity proofing process, such as document validation and high-assurance onboarding.
What's in the full article
Authsignal's full article covers the operational detail this post intentionally leaves for the source:
- Live webinar discussion of how passkeys, biometrics, and adaptive MFA fit together in customer-facing authentication.
- Practical examples of journey-based design across onboarding, recovery, dormant account reactivation, and contact center verification.
- Specific fraud scenarios discussed with iProov, including face swap attacks, liveness bypass, and SMS-based interception.
- Implementation framing for teams moving away from SMS OTPs under emerging regulatory pressure.
👉 Read Authsignal's webinar analysis of AI-powered fraud, passkeys, and biometrics →
AI-powered fraud and passkeys: what identity teams need to change?
Explore further
Journey-based authentication is now the baseline, not an enhancement. Login-only MFA assumes the risky event happens once, at the beginning of the session. That assumption no longer holds when fraud can emerge during recovery, device enrollment, contact center interaction, or transaction approval. IAM programmes that still treat authentication as a single checkpoint are governing the wrong boundary.
A few things that frame the scale:
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to The State of Secrets in AppSec.
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities.
A question worth separating out:
Q: Who is accountable when fraud moves outside the login screen?
A: Accountability usually sits with multiple owners at once: IAM for assurance policy, fraud teams for abuse patterns, and product or operations teams for fallback journeys. The practical test is whether any user path allows a weaker channel to override a stronger one. If it does, ownership has not been assigned to the real control point.
👉 Read our full editorial: AI-powered fraud is exposing the limits of traditional MFA