Notifications
Clear all
Topic starter
22/06/2026 5:00 pm
TL;DR: AI-generated voice cloning, real-time deepfake video, and breached-data harvesting are eroding photo ID, video calls, KBA, and callback-based verification, while person-to-person cryptographic verification returns a deterministic answer in seconds, according to Scramble ID. Probabilistic identity proofing is no longer dependable for high-trust decisions because the underlying assumption is now broken.
NHIMG editorial — based on content published by Scramble ID: People Verification vs Traditional Methods Status (June 2026)
By the numbers:
- 17 minutes and as quickly as 9 minutes, cly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
Questions worth separating out
Q: How should security teams verify high-risk requests when deepfakes and voice cloning are in play?
A: Security teams should require a deterministic proof step for high-risk requests, not a recognition-based one.
Q: Why do traditional identity checks fail for high-trust decisions?
A: Traditional checks fail because they rely on probabilistic human judgment or on personal facts that attackers can obtain from breaches, public records, or synthetic media.
Q: When should organisations replace callback or KBA with stronger verification?
A: Organisations should replace callback or KBA whenever a false approval could lead to financial loss, privileged access, or irreversible account changes.
Practitioner guidance
- Re-tier verification methods by decision criticality Classify every identity check as low, medium, or high trust and prohibit photo ID, video, KBA, or callback from approving high-value actions on their own.
- Introduce cryptographic proof for high-risk requests Use people verification or an equivalent signed challenge-response method for vendor banking changes, helpdesk resets, wire approvals, and privileged administrative requests.
- Separate transport trust from identity assurance Document that a known-good phone number, a live video call, or an email thread is only a channel control, not proof of the person making the request.
What's in the full article
Scramble ID's full comparison covers the operational detail this post intentionally leaves for the source:
- Side-by-side decision matrix with determinism, AI-resistance, audit quality, latency, and coercion resistance across methods.
- Concrete walkthroughs for wire approvals, helpdesk resets, vendor banking changes, and branch transactions.
- Method-by-method notes on where photo ID, video, callback, KBA, and remote notarization still fit.
- Standards posture details, including how the approach maps to NIST SP 800-63A and phishing-resistant verification patterns.
👉 Read Scramble ID's comparison of people verification and traditional identity methods →
People verification vs traditional methods: what should teams change?
Explore further
22/06/2026 5:12 pm
Probabilistic identity verification is now a control class with declining assurance value. Photo ID, video calls, KBA, and callback all produce signals that humans can mistake for proof. Once voice cloning and real-time deepfake video became commodity capabilities, the confidence these methods create stopped tracking actual identity assurance. The practical implication is that IAM programmes must stop treating familiar human checks as equivalent to authoritative verification.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to The State of Secrets in AppSec.
A question worth separating out:
Q: What is the difference between video verification and cryptographic people verification?
A: Video verification asks a human to judge whether the person on screen looks and sounds legitimate, so it remains probabilistic. Cryptographic people verification requires the enrolled identity to sign a challenge, producing a deterministic yes or no. The first tests perception, while the second tests possession of the bound private key.
👉 Read our full editorial: People verification is replacing probabilistic identity checks
