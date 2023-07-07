More and more organizations are relying on remote identity verification processes that involve a user taking a picture of their photo identity document, which is assessed for authenticity, and then taking a selfie of themselves. During that selfie process, the user is assessed for liveness, and then the selfie is biometrically compared to the photo in the identity document. I just refer to that mouthful as the ‘ID plus selfie’ process.

Not surprisingly, given all that is going on in the world, I’m getting an uptick in client calls asking about whether AI-generated deepfakes spell the end of such identity verification processes. Tools for creating deepfakes based on images or videos of the subject are, of course, proliferating online – and to add insult to injury, many of them are free to use.

Based on what I’m seeing and hearing across my end-user and vendor clients, it’s a mixed picture when it comes to attacks on the identity verification process.

One kind of attack is a presentation attack – this involves the attacker creating a deepfake and displaying it on the screen of a secondary device, and when prompted to take their selfie, they point the camera on their primary device at the screen of the secondary device.

The other kind of attack is an injection attack – this involves the attacker injecting the deepfake into the digital stream, perhaps by means of using a virtual camera, or through hacking the vendor’s API or SDK, or through switching the payload whilst in transit.

I’ve had numbers presented to me that suggest that the total proportion of identity presentations involving deepfakes are in the single digit % range. And of those, it appears that presentation attacks are about 10x-100x more common than injection attacks today. Perhaps not surprising, given that the injection attacks require at least some level of technical sophistication beyond simply creating the deepfake itself.

In the upcoming Market Guide for Identity Verification from Gartner that will publish in August, we discuss the layered approach that needs to be in place to detect deepfakes. Interestingly, some of those layers focus on spotting the deepfake itself (e.g. repeated artefacts across different images, for example), whereas others focus on spotting anomalous meta-data (e.g. the resolution of the selfie image being different to that expected from the camera for this device).

One of the key layers is, of course, the liveness detection (formerly called presentation attack detection, or PAD). There is active PAD, which requires the user to carry out an action such as turning their head, and there is passive PAD, which may involve creating 3D face maps, detecting micromovements and even changes in skin tone caused by blood flow. Is one better than the other at detecting deepfakes? No clear evidence at this time – many organizations are choosing to use both just in case.

One other interesting aspect of all this which is neglected due to the focus on deepfakes of the face is deepfake images of the document. That opens up a whole new arena of assessing document ‘liveness’.

So, will deepfakes kill identity verification? Well, before being too pessimistic, don’t forget that the defenders have access to AI, just as the attackers do, and are already using it for image inspection. I don’t believe that the identity verification process is obsolete, but not all vendors have equal detection capabilities, and I foresee the introduction over time of benchmarking standards for deepfake detection that go beyond the current ISO 30107. As with all other aspects of fraud and security, deepfake creation and deepfake detection has become an arms race that we will need to watch closely, with implications beyond identity verification and into bigger societal and philosophical areas of trust and integrity.