Traditional document-based identity verification is rapidly losing the battle against AI-powered fraud. Solutions built on document capture and liveness checks, the backbone of most onboarding and authentication systems deployed over the past decade, were never engineered for the digital environment.
According to Hopae, advanced physical security features such as ultraviolet and infrared controls simply cannot be replicated online, leaving businesses exposed to a new generation of attacks including synthetic identities and increasingly convincing deepfakes.
Liveness detection was introduced as a patch, but AI has advanced to the point where even sophisticated deepfakes can bypass these checks with ease through presentation and injection attacks. The result is a surge in fraud across virtually every sector.
The question now is not whether document-based verification is sufficient, it clearly is not, but what should replace it. The answer lies in digital-native identity solutions: systems built from the ground up to operate securely in an online environment, with security features specifically designed to address the risks that the digital world presents.
However, not all digital-native identities offer the same level of protection. The eIDAS 1.0 and 2.0 regulations provide a useful framework here, distinguishing between levels of assurance (LOA) that determine how well a solution can resist modern attacks. Only solutions rated at Substantial or High LOA provide meaningful resilience. For the most severe threat scenarios, only the High LOA can be relied upon.
The distinction comes down to two critical factors: enrolment quality and the strength of the authentication method. During enrolment, the process by which a digital identity is first created, solutions that have not been assessed and certified by a recognised Certification Assessment Body tend to be fundamentally weak. A simple document capture combined with liveness detection is, by current standards, easily compromised.
A Substantial LOA requires video capture of a document, a certified liveness session, and human review. High LOA may require a one-time visit to an official body such as a city hall, where biometric data held on a national ID card, such as a fingerprint, is used to activate the service.
Authentication is the second pillar. Consumer-facing biometric systems, such as Apple Face ID and Google’s equivalent, are not designed to meet the security bar that financial services and regulated industries require. Robust digital-native solutions instead embed strong customer authentication mechanisms that have undergone rigorous independent security evaluations. In France, for example, the CSPN certification is the recognised benchmark for this kind of assurance.
For businesses dealing with account takeover risks in password reset flows, or handling customer onboarding under increasingly stringent regulation, the direction of travel is clear. A Substantial LOA should be treated as the floor, with High LOA the preferred standard wherever possible.
This is not merely best practice; it is increasingly a regulatory expectation. The updated Anti-Money Laundering Regulation (AML-R), in its July 2027 version, explicitly aligns with this position, signalling that the industry’s transition away from legacy document verification is no longer optional.
Copyright © 2026 RegTech Analyst
Copyright © 2018 RegTech Analyst
