Turing Institute sees surge in biometric spoof attacks on DPI, offers security advice

Countries around the world must protect their digital public infrastructure with a “Digital ID Safety Pack” to meet the minimum cybersecurity baseline, according to the latest report from The Alan Turing Institute’s Cyber Threat Observatory for National Identity Systems. The proliferation of AI tools for spoofing or bypassing biometric verification and the threat they pose to DPI have increased dramatically in recent years, according to the report, demanding a cybersecurity response from governments everywhere.

The Turing Institute explores what that response should be and the tools that make up its “Digital ID Safety Pack” in the report, and will present its findings in an online workshop next week.

The quarterly report for November, 2025 focusses largely on the ability of attackers to use generative AI to create synthetic or manipulated biometric content.

The report, part of the Institute’s Trustworthy Digital Infrastructure (TDI) initiative, pulls in data on Common Vulnerability Exposures (CVEs) and Common Weakness Enumeration (CWE) from the National Vulnerability Database (NVD), as well as sectoral reports from TransUnion, LexisNexis and the UK Finance, reports from academia and industry and policy frameworks including NIST SP 800-63.

CVEs associated with identity systems increased by 300 percent between 2020 and 2024, the Turing Institute found. The most common types of vulnerabilities discovered often involved improper or missing authentication, incorrect authorization, information exposure or hardcoded credentials. They were frequently found in federated digital identity systems, single-sign on (SSO) systems and API-based authentication.

The Cyber Threat Observatory analyzed common CVEs targeting national identity systems in a report and workshop in June.

Advanced economies have experienced sudden surges in fraud attacks using synthetic identities, with a 500 percent increase in the UK over three years as one example. With countries across the Global South expanding their DPI, this trend shows the need for protections to be implemented early.

The Observatory examines the threat landscape, and places in the digital identity lifecycle when biometric presentation attacks, injection attacks, synthetic ID documents or document injections and insider threats can be carried out. It considers the challenges of stopping particularly sophisticated spoof attacks, including biometric face morphing and deepfakes.

The “Digital ID Safety Pack” nations need to preserve the integrity of DPI includes zero trust architecture and biometric anti-spoofing (meaning liveness detection). Multi-modal biometric verification, liveness detection and anti-spoofing algorithms, secure API design and rate limiting, encryption for any stored biometric templates and deepfake detection utilizing AI are all recommended. The Safety Pack also includes DPI safeguard principles against harm and exclusion and providing redress, alignment around international standards, Cyber Assessment Framework adoption and the establishment of coordinated threat intelligence sharing platforms, according to the report.

Workshop December 10 to present practical defense measures

The Institute’s Cyber Threat Observatory is holding an online workshop on December 10 to present the research and the insights governments can digital identity practitioners can take from it to harden DPI defenses.

Speakers will include report co-author Professor Carsten Maple and Dr. Salim Awudu, experts from MOSIP and CDPI and representatives from public-sector authorities in Sri Lanka, Uganda and Ethiopia.

Attendance is free with registration.

Article Topics

biometrics  |  cybersecurity  |  digital identity  |  digital public infrastructure  |  national ID  |  presentation attack detection  |  Turing Institute  |  Turing Institute. Cyber Threat Observatory