deepfakes · liveness detection · biometrics
Deepfakes and Identity Verification: The New KYC Threat in 2026
Not long ago, asking a customer for a selfie or a short video was enough to confirm they were who they claimed to be. That era is over. With AI tools now available to anyone, generating a fake video of someone else's face—a deepfake—takes minutes and requires almost no technical skill.
For any institution running digital onboarding, this is a paradigm shift: fraud no longer requires a stolen ID and a look-alike accomplice. A photo of the victim scraped from social media plus an AI model is enough. This article explains why deepfakes are the fastest-growing threat in identity verification and how modern biometric technology—which we have already integrated at Legaltalent—protects your program.
What a deepfake is and why it's a compliance problem
A deepfake is AI-generated synthetic content that replaces or recreates a person's face (and sometimes voice). In a KYC context, the attacker doesn't try to look like the victim—they fabricate a video of the victim's face and use it to pass identity verification.
This is a compliance problem, not just a technical one. If your due diligence process onboards an impostor who used a deepfake, you've admitted a customer whose real identity you don't know. That opens the door to:
- Account takeover and impersonation of real third parties.
- Synthetic identities that blend real and fabricated data into a person who doesn't exist.
- Money mules and nominees operating behind a "clean," verified identity.
- Money laundering channeled through accounts opened with fraudulent identities.
In all these cases, "the system was fooled" is not a defense regulators will accept. The obligation to reliably verify customer identity remains yours.
Why traditional methods no longer hold up
Many onboarding flows were designed when fraud required manual effort. Those controls now have serious gaps against AI.
The static selfie is vulnerable
Asking for a face photo and comparing it to the ID seems reasonable, but a photo is trivial to fake—any image of the person pulled from the internet will do. There's no way to know whether the person is actually in front of the camera or whether a file was simply uploaded.
A pre-recorded video isn't enough either
Some systems request a short video. But an attacker can pre-record or generate a deepfake and play it back. Without a real-time challenge, the system can't tell a live person from a prepared clip.
Fraud has gone professional
There are now "fraud-as-a-service" offerings that sell kits to inject deepfakes directly into an app's camera stream. This is no longer a lone scammer—it's an industry.
Presentation vs. injection: the two attack types
Understanding how attackers operate is key to understanding how to defend. There are two broad families of attacks against biometric verification.
| Attack type | How it works | Examples |
|---|---|---|
| Presentation attack | A spoof is shown to the device's real camera | Printed photo, photo or video on another screen, 3D silicone or latex mask |
| Injection attack | The camera is bypassed and content is inserted directly into the data stream | Virtual camera, injected pre-recorded video, real-time deepfake |
Presentation attacks are the "classics," and most serious solutions detect them well. Injection attacks are the dangerous frontier today, because that's where the most sophisticated deepfakes live: the content never passes through the physical camera, so a shallow check never sees it.
Robust verification must defend against both.
How we solve it: active liveness and biometrics
At Legaltalent we tackle deepfakes with a layered defense, not a single control. The logic is simple: make faking an identity so difficult and costly that it stops being worthwhile for the attacker.
Active liveness with dynamic challenges
The core of the defense is active liveness detection. Instead of asking for a photo, we ask the person to complete a real-time challenge: moving their face into an on-screen oval and responding to prompts the system generates at that moment, for that session.
This is decisive against deepfakes because:
- The challenge is unpredictable: neither a pre-recorded video nor a deepfake "knows" what it will be asked to do in that specific session.
- We analyze the face's real-time response to those prompts—something a flat image or a prepared clip can't reproduce convincingly.
- Capture happens live, with no option to upload a file from the device.
Detecting presentation and injection attacks
Our liveness technology is designed to detect both presentation and injection attacks: photos, screens, 3D masks, and also pre-recorded or deepfake videos injected through virtual cameras. It is built on biometric engines certified to the international ISO/IEC 30107-3 standard for Presentation Attack Detection (PAD), the industry benchmark for measuring spoof resistance.
Document-to-face biometrics
Confirming a live person is only half the job. The other half is confirming that the person is the one on the ID. So we biometrically compare the face captured during the liveness check against the photo on the identity document. That closes the loop: a real, present person who matches the identity they claim.
Risk-based, adjustable thresholds
Not every customer carries the same risk. We let you tune the strictness of verification by profile: a standard customer can pass through a fast check, while a higher-risk customer—or one requiring enhanced due diligence—goes through a tighter process with additional challenges and evidence review.
Verification doesn't end at onboarding
Catching a deepfake at sign-up is essential, but identity risk doesn't disappear afterward. A mature process integrates biometric verification with the rest of the compliance program:
- Secure onboarding: liveness + document biometrics when the customer is admitted, as part of your onboarding process.
- Auditability and evidence: we retain audit images from each verification so you can demonstrate to examiners exactly how you verified identity.
- Ongoing monitoring: we combine the initial check with ongoing monitoring and adverse media screening to catch risks that emerge after onboarding.
This integration is what turns a point solution into a real identity-risk management system.
What the regulatory framework expects
US AML rules—the Bank Secrecy Act and the Customer Identification Program requirements—don't mention "deepfake" or "liveness." They predate this wave of AI fraud. But the principle is clear: a covered institution must apply reasonable, risk-based procedures to verify the identity of each customer.
FinCEN and the FATF, whose standards shape US expectations, have been explicit about the risks of digital identity and the need for remote verification methods to be robust against fraud. In practice, for fully digital onboarding, a static selfie no longer constitutes reasonable verification: liveness with spoof detection is the emerging standard for demonstrating diligence. For broader context, see our guide on AML compliance for US fintechs.
Put plainly: if your process can't tell a real person from a deepfake, it's hard to argue you've reliably verified identity.
Conclusion
Deepfakes have democratized identity fraud. What once required a stolen document and a look-alike accomplice can now be done with a social-media photo and a free AI model. KYC processes that rely on selfies or simple videos are exposed.
The answer isn't to give up—it's to raise the technical bar. Active liveness with dynamic challenges, certified detection of presentation and injection attacks, document-to-face biometrics, and integration with ongoing monitoring form a layered defense that makes faking an identity practically unfeasible for the vast majority of attackers.
The goal isn't to have "a verification"—it's to have verification that matches the 2026 threat.
Want to protect your onboarding against deepfakes?
At Legaltalent we help fintechs and regulated institutions verify customer identity with advanced biometric technology: active liveness, spoof detection, and document-to-face matching, all integrated into your compliance workflows.
Get started free and see how to harden your identity verification against AI-driven fraud.
Frequently asked questions
What is a deepfake in the context of identity verification?
A deepfake is an AI-generated video or image that imitates a real person's face. In KYC, fraudsters use it to impersonate someone during identity verification, defeating static selfies and basic liveness checks.
Can deepfakes defeat identity verification?
Verification based only on a static photo or selfie is highly vulnerable. That is why active liveness with dynamic challenges is essential—it is far harder to fake than an image or a pre-recorded video.
What is liveness detection and why does it matter?
Liveness detection confirms that a real, physically present person is in front of the camera in real time—not a photo, a recorded video, or a deepfake. It is the primary defense against synthetic identity fraud.
What is the difference between a presentation and an injection attack?
A presentation attack shows a spoof to the real camera (photo, screen, mask). An injection attack bypasses the camera and inserts a video or deepfake directly into the data stream, for example via a virtual camera.
Is liveness detection required under US AML rules?
The BSA does not name liveness specifically, but Customer Identification Program rules and FinCEN expectations require reasonable, risk-based procedures to verify identity. For fully digital onboarding, liveness with anti-spoofing has become the reasonable standard.
Does liveness detection eliminate deepfake risk completely?
No control is 100% infallible. Advanced liveness dramatically reduces the risk and, combined with document-to-face biometrics and ongoing monitoring, forms a layered defense that is very hard to defeat.