AI deepfakes push biometric industry toward measurable assurance

The rise of AI-generated deepfakes and injection attacks is reshaping how organizations evaluate biometric security systems, pushing the industry toward independently verified performance, formal certification and measurable assurance standards. Data from iProov shows a 1,151 percent increase in injection attacks over the last year, underscoring how quickly the threat has escalated.

Executives and testing experts from iProov and Ingenium Biometric Laboratories argue the shift is forcing governments and enterprises to rethink what trustworthy biometric authentication actually means. Identity now means more than authentication. It’s critical infrastructure – and that means the word of the vendor is no longer sufficient in establishing trust. In keeping, organizations increasingly demand independently verified biometric performance and certification. If identity is a foundational element for twenty-first century businesses, it can’t rest on assumptions.

Show me the data: in deepfake world, organizations demand transparency

The industrialization of fraud is exerting unprecedented pressure on identity security, making it harder than ever for organizations to sort out what meaningful assurance means in a sea of shifting regulations, frameworks and acronyms.

A recent webinar from iProov explores how to parse the increasingly complex world of identity fraud, and why testing and evaluation matter. Campbell Cowie, head of policy at iProov, says that with generative AI capable of producing high-fidelity deepfakes and automated injection attacks that bypass the camera sensor entirely, “old standards of banking level security or human visual checks are no longer sufficient.”

Deepfakes are becoming more and more difficult to spot with the naked eye, and techniques like real-time video deepfake generation up the ante in terms of sophistication. That makes high-assurance, performance-based, measurable standards table stakes for true identity security.

The case is economic as much as it is defensive. Through efficiency gains, trusted digital identity is expected to increase productivity and drive economic growth. “We’re building the infrastructure for a secure digital economy,” Cowie says, “rather than just securing a login to an account.” As identity and infrastructure become more and more intertwined, being able to trust who’s on the other side of the screen becomes a fundamental concern for the global economy.

‘Conversation itself has shifted from basic liveness to genuine presence’

Dr. Chris Allgrove from Ingenium Biometric Laboratories understands the necessity of testing in a transformed world. He says regulations like eIDAS in the EU, which undergirds the EU Digital Identity (EUDI) wallet scheme, are “fundamentally a gamechanger” for how trust and identity work.

“Historically, people used to still treat biometric authentication as essentially the same as a password or a token based authentication,” Allgrove says. “But what we’re now with the introduction of something like eIDAS and the conformity test that sits around that, with very strong drive from the European Union and European Commission is, you must demonstrate that this works in a way that’s consistent with the standard. It must meet the criteria.”

Those criteria are getting more strict, as risk evolves at the pace of generative AI. An example is NIST’s 800-63 Digital Identity Guidelines, which Cowie says “represents a strategic change for the industry.” NIST and the U.S. Air Force are moving to sole-source biometric testing and monitoring contracts, underscoring increased government focus on trusted testing environments. But the movement is global, with the UK set to develop and implement a deepfake detection evaluation framework, establishing consistent standards for assessing detection tools. Around the world, deepfakes are forcing a mass realignment of identity, authentication and cybersecurity.

“The conversation itself has shifted from basic liveness to genuine presence,” says Chris Allgrove. “In a world of injection attacks and deepfakes, simply proving that a user is alive isn’t really enough anymore. You have to prove that they are present at the point of the video capture and you have to prove that the data stream itself hasn’t been compromised.”

In other words, you need certainty – and for that, you need transparent evaluations, which Allgove calls “the new foundation of trust.”

Trusted status not just about a shiny certificate

The key is in accepting that you must reframe the approach to biometric systems. “It’s realizing that it’s not just about minimum viable product in terms of evaluating your system and getting a shiny silver certificate that looks good and everyone’s going to be happy, but no one really looks at in too much detail what the certificate actually shows you’ve done,” Allgrove says. Optics are no longer a stand-in for genuine rigor, and the easiest path to the market isn’t always the smartest one in the context of global regulations.

Allgrove believes that in any certification, there should be “clear water” between the conformance assessment body and the test lab. Overlap can mean blurring the boundaries between functions, and opening the door to weaker assessments that prioritize the bottom line rather than the regulatory one.

He also notes that vendors aren’t typically in the business of showcasing their mediocrity. “Every vendor I’ve ever spoken to, whether it’s running Ingenium or previously in my public role, every vendor has had 99.9 percent accuracy. No vendor ever says, ‘yeah, we’re a bit iffy on this’ or ‘our false match rate is a bit low.’ They have a duty to themselves to try to portray themselves in the most positive light, and that’s natural and it’s entirely appropriate.”

Accuracy claims impact whole industry

Problem is, some tech out there is a bit iffy – and bold claims are the bread-and-butter of the tech industry. We all know the PR drill: every company is “the world leader” in its sector. As has been well demonstrated by contemporary politics, the most successful entities are often the ones making the loudest statements. But that doesn’t make them true.

Allgrove says that’s why every statement by every vendor needs to be challenged. “It’s a healthy thing. We need to be sure within the industry that people are not saying a biometric system, a remote identity system operates in a way that actually it doesn’t, because the risk then is that you will damage your company, your service, the industry as a whole.”

“It’s very important that we are able to trust when people say, ‘we’re 99.9 percent accurate’ that that is meaningful, and it’s meaningful in terms of conformance to standards, conformance to best practice.”

Dominic Forrest, CTO of iProov, concludes by suggesting that rigorous testing is about more than passing one magic exam. “No single certification or test tells the full story,” he says. “What organizations really need is a combination of independently validated capabilities aligned to recognized standards and supported by transparent governance.”

Article Topics

accuracy  |  biometric liveness detection  |  biometric testing  |  deepfake detection  |  Ingenium Biometrics  |  injection attack detection  |  iProov  |  presence detection