Notifications
Clear all
Topic starter
27/06/2026 1:05 pm
TL;DR: Identity verification has become shorthand for document checks, selfie matching, and liveness detection, but those controls only validate evidence, not enduring trust, according to HYPR’s analysis. The real governance issue is that many workflows still treat a point-in-time pass as proof of identity, which breaks down as risk, fraud, and account conditions change.
NHIMG editorial — based on content published by HYPR: Identity Verification Has an Identity Crisis
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: How should security teams use identity verification without overstating trust?
A: Use identity verification as one evidence source in a broader decision model, not as proof of durable trust.
Q: When does identity verification create more risk than it reduces?
A: It creates more risk when organisations treat a point-in-time pass as if it applies indefinitely, or when they rely on a single signal for a high-impact action.
Q: What do teams get wrong about liveness detection?
A: Teams often treat liveness detection as a broad fraud or trust control, when it is really a narrow anti-spoofing check.
Practitioner guidance
- Separate evidence checks from trust decisions Map document authentication, biometric matching, liveness detection, and identity proofing to different decision points in the workflow so each one contributes only what it can actually prove.
- Raise assurance for higher-risk transactions Require additional independent signals, such as trusted device context or stronger step-up verification, when the requested action carries financial, operational, or privileged impact.
- Review where point-in-time checks are being reused Find processes that treat a historical successful verification as sufficient for later access, payment, or recovery decisions, then require a fresh risk evaluation for those paths.
What's in the full article
HYPR's full blog post covers the operational detail this post intentionally leaves for the source:
- How HYPR distinguishes document authentication, identity proofing, and identity verification in practical workflows
- The article's detailed FAQ examples on liveness detection, selfie matching, and synthetic identity limits
- HYPR's framing of identity assurance levels and how they map to transaction risk
- The product context behind HYPR Affirm and the verification workflow design choices it supports
👉 Read HYPR's analysis of why identity verification is not the same as identity assurance →
Identity verification and assurance: where teams are getting it wrong?
Explore further
27/06/2026 2:16 pm
Identity verification and identity assurance are different governance problems. Verification is a control moment that checks evidence, while assurance is a trust posture that should hold only as long as the risk remains acceptable. The industry confusion exists because the user experience looks similar, but the decision purpose is not the same. Practitioners should stop treating pass/fail checks as proof of durable trust.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: How do organisations decide what level of identity assurance they need?
A: They should start with the risk of the transaction, then decide how much confidence is necessary for that action. Low-risk interactions may need only basic checks, while regulated, financial, or privileged actions usually require multiple independent signals and stronger policy controls. NIST SP 800-63 is a useful reference for that risk-based approach.
👉 Read our full editorial: Identity verification is not the same as identity assurance
