The Design Flaw in Identity Document Verification

Written By Joshua McKenty

Most identity verification (IDV) systems were designed to catch obvious fakes: bad Photoshop jobs, mismatched fonts, or documents that don’t exist in any database. That approach worked for a while. It doesn’t work anymore.

The issue isn’t that IDV providers are incompetent. The issue is that the threat model has changed, and the standard verification stack was never built for today’s attacks.

Faceswapping Turns Stolen Identities Into Job Offers

Until recently, creating a convincing fake ID required real skill, specialized printing equipment, and detailed knowledge of security features. The barrier to entry made most fraud detectable.

That barrier has collapsed. AI-powered faceswapping tools now make high-quality document fraud cheap and routine. Services like OnlyFake (now defunct, but widely imitated) offered AI-generated fake IDs for as little as $15. The buyer uploads a photo of their face, selects a document type and country, and receives a realistic-looking ID with their face on someone else's identity.

For more sophisticated attacks, darknet markets sell complete "KYC bypass kits"—a faceswapped document paired with a matching deepfake selfie video—typically for $50 to $200. According to iProov, detected face-swap attacks surged 704% in 2023 alone.

This matters because these techniques are no longer just used for account takeovers or consumer fraud. They are being systematically deployed by North Korean-linked IT worker networks that apply for remote engineering, DevOps, and cybersecurity roles using stolen or borrowed identities. The goal is simple: gain access to corporate systems, exfiltrate data, and funnel salaries back to the regime.

The economics have flipped. Document fraud used to require expertise and capital. Now it requires a credit card and fifteen minutes.

Why Current Defenses Fail

When your IDV provider runs a "document verification," what are they actually checking?

Most systems query DMV databases or similar government records. They verify that the document number exists, that the name matches, that the document hasn't been reported stolen, and that it hasn't expired. Some check that the document's visual layout matches the expected template for that state or country.

What they don't do is compare the photo on the document to the photo in the original government database. They can't—most DMV databases don't expose facial images through their verification APIs.

This creates an obvious gap. A faceswapped ID uses real underlying data. The document number is valid. The name matches. The address checks out. Everything about the document is authentic except the face. And that's the one thing the database lookup doesn't verify.

The document is real. The face on it isn't.

Liveness Detection won’t Save You

Modern IDV systems often add “liveness detection” to ensure a real person is in front of the camera.

That solves one question: Is there a real person here right now?
 It does not answer the question that matters: Is this the person the government issued this identity to?

Standard IDV flow looks like this:

  1. Scan the document.

  2. Capture a live selfie.

  3. Compare the two faces.

If the document was faceswapped to show the attacker’s real face, no deepfake is needed. The attacker shows their own face to the camera, it matches the altered document, and verification passes perfectly.

Liveness detection was built to stop someone holding up a photo or replaying a video — not to detect manipulation of the document itself.

What Actually Works

Two approaches reliably break this attack chain:

1) Passport chip (NFC) verification — the gold standard.
Modern passports store a digitally signed version of the holder’s photo on an embedded chip. When properly read and validated, this proves that the image came from the issuing government and hasn’t been altered. A faceswap cannot survive this check.

2) Driver’s license plus strong device and location proof.
Where passports aren’t practical, a driver’s license check can be paired with real-time device attestation and trustworthy GPS validation to make large-scale impersonation far harder. This doesn’t match the cryptographic certainty of a passport chip, but ensuring that the user’s current location matches the country of their ID document raises the bar beyond what simple faceswaps can defeat.

The common principle is the same: verify something the attacker cannot fabricate, not just something they can present.

Why This Matters Now

This is not hypothetical. North Korean IT worker operations are actively exploiting these gaps to insert remote contractors into legitimate companies using stolen or borrowed identities that have been faceswapped. Once inside, they can access credentials, and sensitive customer data.

The uncomfortable question for any organization relying on standard IDV is simple: has your process already been bypassed without you knowing? If your provider can’t clearly explain how they prevent the use of faceswapped documents, the odds are high that it has.

Polyguard helps organizations combine cryptographic document checks with device and location assurance to close this gap. If you want to verify identity in a world of faceswaps, Polyguard can help.

Joshua McKenty
Next

Why Using Signal Doesn’t Solve Your Fraud Problem—And How Polyguard Does