TL;DR: Deepfakes can now be created for under $10 a month, and the source article argues they have shifted from a media-trust problem to an identity verification and access-control problem in high-stakes government workflows. The practical issue is that visual inspection is no longer a dependable assurance layer, so verification must move toward liveness and session-context controls.
NHIMG editorial — based on content published by Incode: Pretty Sure Isn’t Good Enough. Why Deepfake Detection Must Go Deeper
Questions worth separating out
Q: How should organisations verify identity when photos and video can be faked?
A: Organisations should move from visual inspection to higher-assurance proofing that validates the live interaction.
Q: Why do deepfakes create an identity verification problem for government and enterprise workflows?
A: Deepfakes lower the cost of impersonation and make visual evidence unreliable at the exact point where access decisions are made.
Q: What breaks when identity proofing relies on human review of screenshots or video?
A: Human review breaks because attackers can generate convincing images, replay video, or manipulate the capture stream faster than reviewers can detect artifacts consistently.
Practitioner guidance
- Define assurance tiers for remote proofing Separate low-risk media screening from high-risk identity proofing.
- Validate the capture moment, not just the credential image Require signals that indicate a live interaction, including challenge-response and device integrity checks, before accepting biometric or document evidence.
- Harden the surrounding identity channel Add URL validation, domain inspection, and session integrity checks so fake portals and injected capture flows are treated as part of the identity risk surface.
What's in the full article
Incode's full article covers the operational detail this post intentionally leaves for the source:
- Examples of screen-replay attacks, hijacked cameras, and jailbroken-device indicators in remote verification flows
- The practical distinction between visual artifact spotting and active liveness detection
- How synthetic identity documents, fake websites, and forged support interactions expand the fraud surface
- Why federal and state workflows need different assurance levels for access, benefits, and onboarding
👉 Read Incode's analysis of why deepfake detection must go deeper →
Deepfake detection and identity proofing: are your controls ready?
Explore further
Deepfake risk is now an identity assurance problem, not a media literacy problem. The source article shows that visual cues are no longer enough to distinguish real from synthetic in high-stakes workflows. That shifts the governance burden onto proofing, access gating, and fraud-resistant identity verification. Practitioners should stop treating deepfakes as content noise and start treating them as failed assurance at the point of entry.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, showing that confidence and practice often diverge.
A question worth separating out:
Q: Who is accountable when a deepfake leads to unauthorised access or fraud?
A: Accountability sits with the organisation that accepted the identity evidence and defined the assurance threshold for the workflow. Security, IAM, and business owners should jointly set the required level of proof for the transaction. If the control does not match the risk, the failure is governance, not just technology.
👉 Read our full editorial: Deepfake detection now functions as identity verification control