Biometric liveness and deepfake attacks: are your checks enough?

TL;DR: Facial biometrics are being targeted by deepfake, virtual camera, and injection attacks at scale, while Microsoft Entra data shows password-based attacks account for over 99% of the 600 million daily identity attacks it observes and SIM swap attacks are rising more than 1000% year-on-year in the UK. Single-point identity checks are no longer a credible assurance model; layered verification and continuous monitoring are now the baseline.

NHIMG editorial — based on content published by iProov: layered biometric verification against deepfake and injection attacks

By the numbers:

• Password-based attacks now account for over 99% of the 600 million daily identity attacks Microsoft Entra observes.
• SIM swap attacks are rising >1000% year-on-year in the UK alone.
• In 2024 alone, iProov observed native virtual camera attacks surge 2,665%.

Questions worth separating out

Q: How should security teams use layered biometrics for high-risk identity journeys?

A: Use layered biometrics when the consequence of a false accept is high, such as account recovery, payment changes, or privileged access enrollment.

Q: Why do single biometric checks fail against deepfake and injection attacks?

A: Single checks fail because attackers only need to defeat the one signal being measured.

Q: How do you know if biometric assurance is actually working?

A: Look for correlation across independent signals, not just high acceptance rates.

Practitioner guidance

• Replace single-point biometric gates with layered assurance Require at least two independent signal classes before approving a high-risk identity event, such as liveness plus device integrity or session metadata.
• Harden decisions against injection and synthetic media Test whether your verification stack can detect media injected after capture, not just spoofed faces at the camera.
• Use adaptive fraud telemetry to tune policy Feed attack observations from live traffic into detection updates and policy thresholds so new tooling does not remain invisible for weeks or months.

What's in the full article

iProov's full article covers the operational detail this post intentionally leaves for the source:

• The imagery-layer mechanics behind dynamic liveness and challenge-response checks.
• The metadata signals used to detect rooted devices, emulators, and masked network paths.
• The continuous monitoring approach used to adapt detection as attack tooling evolves.
• The testing and accreditation context behind the injection-attack claims.

👉 Read iProov's analysis of layered biometric defence against deepfake fraud →

Biometric liveness and deepfake attacks: are your checks enough?

Explore further

View Full Forum →  |  NHI Foundation Course →