Notifications
Clear all
Topic starter
09/06/2026 11:55 pm
TL;DR: A 2025 Gartner survey found 62% of organisations experienced a deepfake attack and 37% saw deepfakes on video calls, while iProov reports a 720% surge in Southeast Asia attacks and 1,151% growth in iOS injection attacks in late 2025. The compliance lesson is that biometric identity verification now has to prove resistance to synthetic media, injection, and data-handling risks, not just basic spoofing.
NHIMG editorial — based on content published by iProov: APAC biometric identity rules are tightening after deepfake fraud
By the numbers:
- 62% of organizations experienced a deepfake attack in the prior year.
- 37% of organizations have encountered deepfakes on video calls.
- iProov surpassed one million daily biometric verifications in 2025.
Questions worth separating out
Q: How should security teams govern biometric identity verification in APAC?
A: They should treat biometric verification as a regulated assurance control, not just an authentication feature.
Q: Why do deepfakes create a compliance problem for identity programmes?
A: Deepfakes undermine the assumption that a visible or audible identity signal is trustworthy enough for decision-making.
Q: How do organisations know if biometric assurance controls are actually working?
A: They look for evidence of current performance against present-day attacks, not just a historical certificate.
Practitioner guidance
- Map APAC regulatory scope by identity flow Identify which onboarding, authentication, and verification journeys touch Vietnam, India, Indonesia, Malaysia, Thailand, Australia, or Singapore, then document which biometric and AI rules govern each flow.
- Test for injection resilience as well as spoof resistance Require validation against presentation attacks, digital injection attacks, and synthetic media paths so that controls are tested against the full attack surface, not just camera-side spoofing.
- Separate biometric templates from personal identifiers Review whether the architecture keeps biometric templates, personal data, and account identifiers structurally apart so no single component can re-identify a user from the full record.
What's in the full article
iProov's full blog covers the operational detail this post intentionally leaves for the source:
- Country-by-country regulatory examples for Vietnam, India, Malaysia, Thailand, Australia, and Singapore
- Standards references and certification context for NIST, FIDO, ISO, and CEN testing methods
- Specific guidance on how biometric architectures handle privacy separation and cloud-based processing
- Vendor examples of the identity verification capabilities needed to satisfy current APAC compliance expectations
👉 Read iProov's analysis of APAC biometric identity regulation and deepfake fraud →
APAC deepfake-driven identity rules: are your controls keeping up?
Explore further
10/06/2026 2:28 am
APAC identity regulation is shifting biometric verification from a fraud-control problem to an assurance-governance problem. The article shows that regulators are no longer satisfied with basic liveness or spoof detection because deepfakes and injection attacks have changed the threat model. That means the governance question is not whether identity verification exists, but whether it can prove resistance under adversarial conditions and accountability under privacy law. Practitioners should reframe biometric controls as regulated assurance mechanisms, not user-experience features.
A few things that frame the scale:
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means most identity programmes still lack complete control over machine-account exposure.
A question worth separating out:
Q: Who is accountable when biometric identity verification fails?
A: Accountability sits with the organisation that selected the control, accepted the risk, and deployed the verification flow into a regulated environment. In APAC, that usually means security, IAM, privacy, and compliance leaders share responsibility for evidence, governance, and vendor oversight. If the architecture cannot support audit and traceability, the accountability gap becomes operational.
👉 Read our full editorial: APAC biometric identity rules are tightening after deepfake fraud
