iProov CTO: Biometrics are key to tackling deepfake threats

Cybercriminals will stop at nothing to get what they want — and that includes increasing the sophistication of their attacks. Last year, an employee of a multinational in Hong Kong was deceived into believing that they were speaking to their CFO on a video call, only to later discover it was a deepfake. Incidents like this will only become more common if enterprises fail to take proactive measures against deepfakes.

According to iProov’s 2024 Threat Intelligence Report, AI-driven synthetic attacks are on the rise, replacing traditional methods like masks. As these attacks seamlessly blend into digital environments, organisations are struggling to detect them.

In an interview with Frontier Enterprise, Dominic Forrest, Chief Technology Officer of iProov, discussed the evolving nature of deepfake attacks and how biometrics play a role in countering them.

Game of wits

One method attackers use to bypass remote identity verification systems, Forrest noted, is playing deepfake videos on a device and presenting them to a camera. Another involves digitally inserting synthetic videos.

“They can trick a bank application into thinking it is receiving real footage from a device when, in reality, they are using software to bypass the device’s camera and inject a deepfake image or video,” he said.

An approach to countering this is active authentication, which requires users to perform actions like moving their heads or reading a specific line of text. However, this method risks excluding users with disabilities or those without access to advanced devices.

To address this, Forrest suggested passive authentication, such as “one-time biometrics.”

“This real-time method verifies users by projecting colour-changing sequences onto their face, creating a unique biometric for each session. Combining face biometrics with technology that introduces randomness can prevent spoofing while maintaining a passive user experience. This unpredictable, single-use method is difficult to replicate, cannot be reused, and is worthless if stolen,” he explained.

Industry challenges

Globally, organisations are placing a strong emphasis on digital identity verification for online transactions.

In the banking and financial sector, while passwords have not been entirely eliminated, businesses — particularly in Asia — have introduced second-generation biometric solutions. Biometric verification technology, Forrest said, enables banks to provide a seamless user experience, maximise customer inclusion, reduce user frustration, and enhance security to protect against fraud while ensuring regulatory compliance.

Beyond this, Forrest observed that increasing demand for data privacy and user control is driving the adoption of “decentralised identities,” a method that allows users to verify their identity without exposing their entire personal profile. This approach not only strengthens security but also helps maintain customer trust and confidence.

Forrest cited SingPass as an example, highlighting how Singapore’s national digital identity system enables users to authenticate themselves and confirm their presence when accessing online government services on computers or at kiosks.

However, not all facial verification solutions can detect “digitally injected deepfake attacks,” where criminals bypass a camera and directly feed a deepfake video or image to trick an online banking system into believing it is real footage, Forrest cautioned.

“Most systems are designed to differentiate between real faces and static media, such as photos or videos held up to a camera, but they struggle to address more sophisticated attacks. Moreover, there is no industry-wide accredited testing for digital injection attack detection,” he clarified.

Stronger measures

There are ways to counter digitally injected deepfake attacks while maintaining customer trust, Forrest noted. The first step, he said, is implementing a strong and secure onboarding process.

“Organisations can start with verifying new customers through a government-issued identity document, such as driver’s license or passport, and using a biometric facial scan to establish the highest level of identity assurance. This foundational trust then carries through the customer’s entire journey,” he said.

For returning users, authentication can be simplified with a liveness check unless high-risk activities, such as requesting new credit or resetting passwords, are involved.

“In such cases, organisations can introduce an additional biometric scan to verify the customer’s identity. Biometric technology is the key to a fast and secure authentication process, balancing security with a seamless customer experience,” Forrest remarked.

Leadership focus

Looking ahead, Forrest believes that CIOs, CTOs, and business leaders should prioritise modern, multi-layered security systems that verify both government-issued identity documents and the individuals presenting them. He also emphasised the importance of real-time authentication for stronger protection against increasingly sophisticated threats.

Forrest also outlined iProov’s approach to tackling deepfake threats. He highlighted the company’s WCAG-validated biometric authentication, which is designed to be accessible to all users, regardless of ability, device, age, skin tone, face shape, or cognitive function.

“The Web Content Accessibility Guidelines (WCAG) are internationally recognised standards that define how to make web content more accessible to people with disabilities. Adhering to these guidelines through independent validation helps ensure broader usability, reduces the risk of exclusion, and provides a foundation for meeting accessibility-related legal and regulatory requirements,” he concluded.