Passkeys offer potential solution to increased deepfake attacks on financial services

Among sectors vulnerable to AI-assisted fraud attacks, the financial industry is perhaps the ripest. With high-stakes remote transactions occurring at scale, increasingly involving AI agents, there are countless attack surfaces, and potentially massive payoffs.

At the FIDO Alliance’s Identity Policy Forum, a panel led by the Better Identity Coalition unpacks a paper it drafted with the American Bankers Association within the Financial Services Sector Coordinating Commission (FSSCC), focusing on the threat of generative AI to the financial services digital identity system.

Grant begins with a key distinction when talking about “AI” and how it’s dangerous,

When people talk about AI related threats, you know, it really is focusing largely on generative AI, which is something that’s really only emerged in the last couple years. We’ve been using AI for years, more on the defense side. You know, machine learning tools have been really important in things like fraud detection used in financial services and other sectors for quite some time.”

It’s important to differentiate because machine learning systems will be key in helping enterprises manage the deluge of deepfakes GenAI has wrought. The coalition’s paper aims to support the effort, in laying out how to quantify and define attacks, and making recommendations for effective protection.

The paper breaks GenAI attacks into three different broad categories: deepfake driven social engineering and impersonation, synthetic identity creation and AI agents as attack surrogates. The latter is still an emerging concern; John Carlson of the American Bankers Association says  “we’re probably going to see a lot of the threat vector escalate in the future once agentic AI really starts to take off.” That means trying to make recommendations on threat mitigation without knowing the full extent of the threat.

In the meantime, certain security measures are now table stakes: liveness detection, multifactor authentication, and a layered model for identity fraud detection. More tools are becoming available, or at least coming to prominence – one of which is FIDO’s passkey model, and another is digital credentials such as mobile driver’s licenses (mDL).

Grant notes that, while a deepfake can pretty convincingly spoof a video, a photo, a voice, or an ID card, “one thing deepfakes can’t spoof yet at least is public key cryptography. And so because mDLs much like passkeys, are rooted in public key cryptography, it’s a technology that, while quite old and mature, can stand up against some of these more sophisticated attacks.”

Finally, the project is to “raise the tide of security for firms of all sizes,” says Ben Amsterdam, a senior vice president with DNC financial services, representing FSSCC. “Clearly multiple technological tools are going to be required to control some of this, but it also includes governance frameworks, which I think are really useful for firms to understand where they are in their journey relative to their peers and relative to where the threat is.”

Article Topics

AI fraud  |  Better Identity Coalition  |  biometrics  |  deepfake detection  |  deepfakes  |  FIDO Alliance  |  FIDO2  |  financial services  |  generative AI  |  passkeys