I was up bright and early to attend a Liminal Demo Day, and the second presenter was Proof. Lauren Furey and Kurt Ernst presented, with Lauren assuming the role of the agent verifying Kurt’s identity.
The mechanism to verify the identity was a video session. In this case, Agent Lauren used three methods:
Examining Kurt’s ID, which he presented on screen.
Examining Kurt’s face (selfie).
Examining a credit card presented by Kurt.
One important note: Agent Lauren had complete control over whether to verify Kurt’s identity or not. She was not a mere “human in the loop.” Even if Kurt passed all the checks, Lauren could fail the identity check if she suspected something was wrong (such as a potential fraudster prompting Kurt what to do).
“Another question for Proof: does you solution meet the requirements for supervised remote identity proofing (IAL3)?”
Lauren responded in the affirmative.
It’s important to note that Proof’s face authentication solution incorporates liveness detection, so there is reasonable assurance that the person’s fake is not a spoof or a synthetic identity.
We’re all familiar with the morphing of faces from subject 1 to subject 2, in which there is an intermediate subject 1.5 that combines the features of both of them. But did you know that this simple trick can form the basis for fraudulent activity?
Back in the 20th century, morphing was primarily used for entertainment purposes. Nothing that would make you cry, even though there were shades of gray in the black or white representations of the morphed people.
Godley and Creme, “Cry.”
Michael Jackson, “Black or White.” (The full version with the grabbing.) The morphing begins about 5 1/2 minutes into the video.
But Godley, Creme, and Jackson weren’t trying to commit fraud. As I’ve previously noted, a morphed picture can be used for fraudulent activity. Let me illustrate this with a visual example. Take a look at the guy below.
From NISTIR 8584.
Does this guy look familiar to you? Some of you may think he kinda sorta looks like one person, while others may think he kinda sorta looks like a different person.
The truth is, the person above does not exist. This is actually a face morph of two different people.
From NISTIR 8584.
Now imagine a scenario in which a security camera is patrolling the entrance to the Bush ranch in Crawford, Texas. But instead of having Bush’s facial image in the database, someone has tampered with the database and inserted the “Obushama” image instead…and that image is similar enough to Barack Obama to allow Obama to fraudulently enter Bush’s ranch.
Or alternative, the “Obushama” image is used to create a new synthetic identity, unconnected to either of the two.
But what if you could detect that a particular facial image is not a true image of a person, but some type of morph attempt? NIST has a report on this:
“To address this issue, the National Institute of Standards and Technology (NIST) has released guidelines that can help organizations deploy and use modern detection methods designed to catch morph attacks before they succeed.”
The report, “NIST Interagency Report NISTIR 8584, Face Analysis Technology Evaluation (FATE) MORPH Part 4B: Considerations for Implementing Morph Detection in Operations,” is available in PDF form at https://doi.org/10.6028/NIST.IR.8584.
And a personal aside to anyone who worked for Safran in the early 2010s: we’re talking about MORPH detection, not MORPHO detection. I kept on mistyping the name as I wrote this.
Because I have talked about differentiation ad nauseum, I’m always looking for ways to see how identity/biometric and technology vendors have differentiated themselves. Yes, almost all of them overuse the word “trust,” but there is still some differentiation out there.
And I found a source that measured differentiation (or “unique positioning”) in various market segments. Using this source, I chose to concentrate on vendors who concentrate on identity verification (or “identity proofing & verification,” but close enough).
Before you read this, I want to caution you that this is NOT a thorough evaluation of The Prism Project deepfake and synthetic identity report. After some preliminaries, it focuses on one small portion of the report, concentrating on ONLY one “beam” (IDV) and ONLY one evaluation factor (differentiation).
Four facts about the report
First, the report is comprehensive. It’s not merely a list of ranked vendors, but also provides a, um, deep dive into deepfakes and synthetic identity. Even if you don’t care about the industry players, I encourage you to (a) download the report, and (b) read the 8 page section entitled “Crash Course: The Identity Arms Race.”
The crash course starts by describing digital identity and the role that biometrics plays in digital identity. It explains how banks, government agencies, and others perform identity verification; we’ll return to this later.
Then it moves on to the bad people who try to use “counterfeit identity elements” in place of “authentic identity elements.” The report discusses spoofs, presentation attacks, countermeasures such as multi-factor authentication, and…
Well, just download the report and read it yourself. If you want to understand deepfakes and synthetic identities, the “Crash Course” section will educate you quickly and thoroughly, as will the remainder of the report.
Synthetic Identity Fraud Attacks. Copyright 2025 The Prism Project.
Second, the report is comprehensive. Yeah, I just said that, but it’s also comprehensive in the number of organizations that it covers.
In a previous life I led a team that conducted competitive analysis on over 80 identity organizations.
I then subsequently encountered others who estimated that there are over 100 organizations.
This report evaluates over 200 organizations. In part this is because it includes evaluations of “relying parties” that are part of the ecosystem. (Examples include Mastercard, PayPal, and the Royal Bank of Canada who obviously don’t want to do business with deepfakes or synthetic identities.) Still, the report is amazing in its organizational coverage.
Third, the report is comprehensive. In a non-lunatic way, the report categorizes each organization into one or more “beams”:
The aforementioned relying parties
Core identity technology
Identity platforms
Integrators & solution providers
Passwordless authentication
Environmental risk signals
Infrastructure, community, culture
And last but first (for purposes of this post), identity proofing and verification.
Fourth, the report is comprehensive. Yes I’m repetitive, but each of the 200+ organizations are evaluated on a 0-6 scale based upon seven factors. In listed order, they are:
Growth & Resources
Market Presence
Proof Points
Unique Positioning, defined as “Unique Value Proposition (UVP) along with diferentiable technology and market innovation generally and within market sector.”
Business Model & Strategy
Biometrics and Document Authentication
Deepfakes & Synthetic Identity Leadership
In essence, the wealth of data makes this report look like a NIST report: there are so many individual “slices” of the prism that every one of the 200+ organizations can make a claim about how it was recognized by The Prism Project. And you’ve probably already seen some organizations make such claims, just like they do whenever a new NIST report comes out.
So let’s look at the tiny slice of the prism that is my, um, focus for this post.
Unique positioning in the IDV slice of the Prism
So, here’s the moment all of you have been waiting for. Which organizations are in the Biometric Digital Identity Deepfake and Synthetic Identity Prism?
Deepfake and Synthetic Identity Prism. Copyright 2025 The Prism Project.
Yeah, the text is small. Told you there were a lot of organizations.
For my purposes I’m going to concentrate on the “identity proofing and verification” beam in the lower left corner. But I’m going to dig deeper.
In the illustration above, organizations are nearer or farther from the center based upon their AVERAGE score for all 7 factors I listed previously. But because I want to concentrate on differentiation, I’m only going to look at the identity proofing and verification organizations with high scores (between 5 and the maximum of 6) for the “unique positioning” factor.
I’ll admit my methodology is somewhat arbitrary.
There’s probably no great, um, difference between an organization with a score of 4.9 and one with a score of 5. But you can safely state that an organization with a “unique positioning” score of 2 isn’t as differentiated from one with a score of 5.
And this may not matter. For example, iBeta (in the infrastructure – culture – community beam) has a unique positioning score of 2, because a lot of organizations do what iBeta does. But at the same time iBeta has a biometric commitment of 4.5. They don’t evaluate refrigerators.
So, here’s my list of identity proofing and verification organizations who scored between 5 and 6 for the unique positioning factor:
ID.me
iiDENTIFii
Socure
Using the report as my source, these three identity verification companies have offerings that differentiate themselves from others in the pack.
Although I’m sure the other identity verification vendors can be, um, trusted.
I’ve noticed that my LinkedIn posts on jobseeking perform much better than my LinkedIn posts on the technical intricacies of multifactor identity verification.
But maybe I can achieve both mass appeal and niche engagement.
Private Equity Talent Hunt and Emma Emily
A year ago I reposted something on LinkedIn about a firm called Private Equity Talent Hunt (among other names). As Shelly Jones originally explained, their business model is to approach a jobseeker about an opportunity, ask for a copy of the jobseeker’s resume, and then spring the bad news that the resume is not “ATS friendly” but can be fixed…for a fee.
The repost has garnered over 20,000 impressions and over 200 comments—high numbers for me.
It looks like a lot of people are encountering Jennifer Cona, Elizabeth Vardaman, Sarah Williams, Jessica Raymond, Emily Newman, Emma Emily (really), and who knows how many other recruiters…
…who say they work at Private Equity Talent Hunt, Private Equity Recruiting Firm, Private Equity Talent Seek, and who knows how many other firms.
If only there were a way to know if you’re communicating with a real person, at a real business.
KYC and KYB let companies make sure they’re dealing with real people, and that the business is legitimate and not a front for another company—or for a drug cartel or terrorist organization.
So if a company is approached by Emma Emily at Private Equity Talent Hunt, what do they need to do?
The first step is to determine whether Emma Emily is a real person and not a synthetic identity. You can use a captured facial image, analyzed by liveness detection, coupled with a valid government ID, and possibly supported by home ownership information, utility bills, and other documentation.
If there is no Emma Emily, you can stop there.
But if Emma Emily is a real person, you can check her credentials. Where is she employed today? Where was she employed before? What are her post secondary degrees? What does her LinkedIn profile say? If her previous job was as a jewelry designer and her Oxford degree was in nuclear engineering, Emma Emily sounds risky.
And you can also check the business itself, such as Private Equity Talent Hunt. Check their website, business license, LinkedIn profile, and everything else about the firm.
But I’m not a business!
OK, I admit there’s an issue here.
There are over 100 businesses that provide identity verification services, and many of them provide KYC and KYB.
To other businesses.
Very few people purchase KYC and KYB per se for personal use.
So you have to improvise.
Ask Emma Emily some tough questions.
Ask her about the track record of her employer.
And if Emma Emily claims to be a recruiter for a well-known company like Amazon, ask for her corporate email address.
But perhaps you would prefer to hear from someone who knows what they’re talking about.
On a webcast this morning, C. Maxine Most of The Prism Project reminded us that the “Biometric Digital Identity Deepfake and Synthetic Identity Prism Report” is scheduled for publication in May 2025, just a little over a month from now.
As with all other Prism Project publications, I expect a report that details the identity industry’s solutions to battle deepfakes and synthetic identities, and the vendors who provide them.
And the report is coming from one of the few industry researchers who knows the industry. Max doesn’t write synthetic identity reports one week and refrigerator reports the next, if you know what I mean.
At this point The Prism Project is soliciting sponsorships. Quality work doesn’t come for free, you know. If your company is interested in sponsoring the report, visit this link.
While waiting for Max, here are the Five Tops
And while you’re waiting for Max’s authoritative report on deepfakes and synthetic identity, you may want to take a look at Min’s (my) views, such as they are. Here are my current “five tops” posts on deepfakes and synthetic identity.
My own post referenced the Auriemma Group estimate of a $6 billion cost to U.S. lenders.
McKinsey preferred to use a percentage estimate of “10–15% of charge offs in a typical unsecured lending portfolio.” However, this may not be restricted to synthetic identity fraud, but may include other types of fraud.
Thomson Reuters quoted Socure’s Johnny Ayers, who estimated that “20% of credit losses stem from synthetic identity fraud.”
Oh, and a later post that I wrote quoted a $20 billion figure for synthetic identity fraud losses in 2020. Plus this is where I learned the cool acronym “SIF” to refer to synthetic identity fraud. As far as I know, there is no government agency with the acronym SIF, which would of course cause confusion. (There was a Social Innovation Fund, but that may no longer exist in 2025.)
Never Search Alone, not National Security Agency. AI image from Imagen 3.
Back to synthetic identity fraud, which reportedly resulted in between $6 billion and $20 billion in losses in 2020.
The financial toll of AI-driven fraud is staggering, with projected global losses reaching $40 billion by 2027 up from US12.3 billion in 2023 (CAGR 32%)., driven by sophisticated fraud techniques and automation, such as synthetic identities created with AI tools.
Again this includes non-synthetic fraud, but it’s a good number for the high end. While my FTC fraud post didn’t break out synthetic identity fraud figures, Plaid cited a 2023 $1.8 billion figure for the auto industry alone, and Mastercard cited a $5 billion figure.
But everyone agrees on a figure of billions and billions.
The real Carl Sagan.
The deepfake Carl Sagan.
(I had to stop writing this post for a minute because I received a phone call from “JP Morgan Chase,” but the person didn’t know who they were talking to, merely asking for the owner of the phone number. Back to fraud.)
Reducing SIF in 2025
In a 2023 post, I cataloged four ways to fight synthetic identity fraud:
Private databases.
Government documents.
Government databases.
A “who you are” test with facial recognition and liveness detection (presentation attack detection).
Ideally an identity verification solution should use multiple methods, and not just one. It doesn’t do you any good to forge a driver’s license if AAMVA doesn’t know about the license in any state or provincial database.
If you create your own test data, you’re more likely to pass the test. So what data was used for Amazon One palm/vein identity scanning accuracy testing?
But NIST has never conducted regular testing of palm identification in general, or palm/vein identity scanning in particular. Not for Amazon. Not for Fujitsu. Not for Imprivata. Not for Ingenico. Not for Pearson. Not for anybody.
“Amazon One is 100 times more accurate than scanning two irises. It raises the bar for biometric identification by combining palm and vein imagery, and after millions of interactions among hundreds of thousands of enrolled identities, we have not had a single false positive.”
“The company claims it is 99.999 percent accurate but does not offer information supporting that statistic.”
And so far I haven’t found any either.
Since the company trains its algorithm on synthetically generated palms, I would like to make sure the company performs its palm/vein identity scanning accuracy testing on REAL palms. If you actually CREATE the data for any test, including an accuracy test, there’s a higher likelihood that you will pass.
I think many people would like to see public substantiated Amazon One accuracy data. ZERO false positives is a…BOLD claim to make.
And of course I referenced VeriDas in my February 7 post when it defined the difference between presentation attack detection and injection attack detection.
Biometric Update played up this difference:
To stay ahead of the curve, Spanish biometrics company Veridas has introduced an advanced injection attack detection capability into its system, to combat the growing threat of synthetic identities and deepfakes….
Veridas says that standard fraud detection only focuses on what it sees or hears – for example, face or voice biometrics. So-called Presentation Attack Detection (PAD) looks for fake images, videos and voices. Deepfake detection searches for the telltale artifacts that give away the work of generative AI.
Neither are monitoring where the feed comes from or whether the device is compromised.
I can revisit the arguments about whether you should get PAD and…IAD?…from the same vendor, or whether you should get best in-class solutions to address each issue separately.
Checking the purported identity against private databases, such as credit records.
Checking the person’s driver’s license or other government document to ensure it’s real and not a fake.
Checking the purported identity against government databases, such as driver’s license databases. (What if the person presents a real driver’s license, but that license was subsequently revoked?)
Perform a “who you are” biometric test against the purported identity.
If you conduct all four tests, then you have used multiple factors of authentication to confirm that the person is who they say they are. If the identity is synthetic, chances are the purported person will fail at least one of these tests.
Do you fight synthetic identity fraud?
If you fight synthetic identity fraud, you should let people know about your solution.
Bredemarket 