Published by TrueID Team | 4-minute read
How to Add AI-Powered Liveness Detection to your MFA as Your Primary Line of Defence
Summary: We’re in the era of post-truth where it is increasingly difficult to verify who is real and who is not, what is true and what is not. This lack of confidence severely impacts organizations that are involved in critical operations and cross-border transactions. As we try to find solutions to these problems, the technologies evolve further, forcing us to change our authentication strategies continuously. At TrueID, we keep our security foundations of passwords, tokens, etc. relevant while regularly upgrading our biometric authentication solutions. This evolving magic mix seems to be the only reliable solution in an scary deepfake-ridden world.
In 2024, a finance employee at a Hong Kong multinational transferred $25 million after a deepfake video call impersonated the company’s CFO. It’s not the employee’s fault. This kind of scan was unforeseen and the digital deepfake persona closely mimicked the CFO’s voice and face.
With the proliferation of AI video, audio, and image generation tools, even the most tech-savvy people cannot confidently distinguish deepfakes from humans. And the problem is only getting worse. We can no more assume that seeing a face on a screen or listening to a voice on phone or computer connection means the person is real.
These deepfake tech advancements nullifies any security layer that includes static identity checks based on digital images, voice, or even scanned identity cards. Organizations that haven’t upgraded their defence systems are vulnerable for large scale attacks.
Why all “Multiple Factors” are Not the Same
MFA stacks independent verification layers so that compromising one doesn’t compromise the whole system. These layers typically fall into three categories:
| Something You Know | Something You Have | Something You Are |
|---|---|---|
| Passwords, PINs, security questions | OTP tokens, mobile devices, hardware keys | Fingerprints, facial recognition, voice ID |
Deepfake AI collapses the static “something you are” category entirely. Voice cloning needs just three seconds of sample audio to replicate a person’s voice, defeating phone-based verification. Real-time face swaps overlay synthetic faces onto live video feeds, bypassing video KYC. And sophisticated attacks now pair AI-generated documents with synthetic faces to pass the full spectrum of ID + selfie checks.
The consequences extend well beyond a single fraudulent transaction: direct financial losses, regulatory penalties for failed KYC and AML compliance, reputational damage, and weeks of operational disruption from forensic investigation. Any organisation that uses only static biometric authentication is now in the crosshairs.
Naturally, businesses have increased their reliance on passwords, PINs, OTP tokens, etc. However, it is worth remembering that the primary reason why biometric identity verification was trusted is because the PINs, passwords, etc, are not failsafe. They can be shared or even hacked. So, the solution to the evolving threats is still MFA, but not the MFA of the earlier years.
The core problem: Traditional MFA verifies that the right credentials are presented. It does not verify that a real, living human or the right human is presenting them.
The Missing Layer: AI-Powered Liveness Detection
Liveness detection doesn’t replace MFA or other components of it. It’s added to MFA to make it work again. While MFA asks “do you have the right credentials?”, liveness detection asks: “is there a real, physically present human on the other side?” and “if it is the right person”.
It works by analysing biometric signals that deepfakes cannot reliably replicate. Critically, liveness detection doesn’t stop at recognising who someone is—that’s basic biometric matching. It extends to search answers to the question deepfakes are designed to make you skip: is this a real person?
| Detection Signal | What It Catches |
|---|---|
| Micro-expression analysis | Detects subtle involuntary facial movements that deepfakes cannot reproduce naturally |
| 3D depth mapping | Identifies flat screens or projected images that lack real three-dimensional depth |
| Texture and skin analysis | Spots pixel-level artefacts, unnatural smoothness, and rendering inconsistencies |
| Challenge-response prompts | Randomised instructions (blink, turn, speak) that pre-recorded deepfakes cannot anticipate |
| Environmental consistency | Analyses lighting, reflections, and backgrounds to detect replays or injected feeds |
The strongest implementations combine passive detection (automatic background analysis of texture, depth, and micro-movements) with active challenges (randomised user-facing prompts like head turns or spoken phrases). Passive checks preserve user experience; active checks raise the bar against sophisticated attacks. Smart deployments use risk-based triggering, i.e. routine logins from recognised devices get passive checks only, while new accounts, large transfers, or unfamiliar locations trigger the full active stack. This keeps friction low where trust is high, and security tight where risk is elevated.
Why TrueID
TrueID’s liveness detection is built for the deepfake era, not retrofitted onto a legacy platform:
- iBeta Level 1 & 2 certified presentation attack detection meeting global regulatory standards.
- Continuously updated deepfake detection models trained against the latest synthetic media techniques.
- Seamless API integration that plugs into existing MFA stacks without infrastructure overhaul.
- Sub-second response times that add security without adding user friction.
- Full audit trails for compliance across financial services, healthcare, and government.
The Bottom Line
Deepfakes don’t break MFA by cracking passwords or intercepting OTPs. They break it by exploiting the unchallenged assumption that the person on the other side of the screen is real. AI-powered liveness detection closes that gap, transforming MFA from a system that verifies credentials into one that verifies human presence, the one thing deepfakes cannot authentically replicate.
The organisations that act on this now will be the ones that don’t make headlines for the wrong reasons later.
Ready to deepfake-proof your authentication?
See how TrueID’s liveness detection integrates with your existing MFA in under a week.
