By 2026, attacks using AI-generated deepfakes on face biometrics will mean that 30% of enterprises will no longer consider such identity verification and authentication solutions to be reliable in isolation, according to Gartner.
“In the past decade, several inflection points in fields of AI have occurred that allow for the creation of synthetic images,” says Akif Khan, vice-president analyst at Gartner. “These artificially generated images of real people’s faces, known as deepfakes, can be used by malicious actors to undermine biometric authentication or render it inefficient.
“As a result, organisations may begin to question the reliability of identity verification and authentication solutions as they will not be able to tell whether the face of the person being verified is a live person or a deepfake.”
Identity verification and authentication processes using face biometrics today rely on presentation attack detection (PAD) to assess the user’s liveness.
“Current standards and testing processes to define and assess PAD mechanisms do not cover digital injection attacks using the AI-generated deepfakes that can be created today,” says Khan.
Gartner research indicates presentation attacks are the most common attack vector, but injection attacks increased 200% in 2023. Preventing such attacks will require a combination of PAD, injection attack detection (IAD), and image inspection.
To assist organisations in protecting themselves against AI-generated deepfakes beyond face biometrics, chief information security officers (CISOs) and risk management leaders must choose vendors who can demonstrate they have the capabilities and a plan that goes beyond current standards – and that they are monitoring, classifying, and quantifying these new types of attacks.
“Organisations should start defining a minimum baseline of controls by working with vendors that have specifically invested in mitigating the latest deepfake-based threats using IAD coupled with image inspection,” says Khan.
Once the strategy is defined and the baseline is set, CISOs and risk management leaders must include additional risk and recognition signals such as device identification and behavioural analytics to increase the chances of detecting attacks on their identity verification processes.
Above all, security and risk management leaders responsible for identity and access management should take steps to mitigate the risks of AI-driven deepfake attacks by selecting technology that can prove genuine human presence and by implementing additional measures to prevent account takeover.