Article

Strengthening Security in the Age of AI: Why We're Upgrading How We Protect Members

May 12, 2026
By: Pavan Prasanna Kumar

By: Pavan Prasanna Kumar, Principal Product Manager

As reported in public news accounts, Sareena Brown-Thomas came home from her shift to find an envelope informing her she had been awarded unemployment benefits she had never applied for. Murat Mayor sat down to apply for financial aid for his teenage son and discovered that scammers had used both their identities to enroll them in community college classes across the country. Each year, hundreds of thousands of taxpayers file their federal return only to learn that someone else has already filed in their name to claim their refund.

These are not edge cases. The U.S. Government Accountability Office has estimated that the federal government could lose between $233 billion and $521 billion annually to fraud. U.S. officials have also estimated that at least half of pandemic-era fraud was tied to organized crime networks operating out of Russia, China, and Nigeria. FBI Deputy Assistant Director Jay Greenberg called it “an economic attack on the United States.”

Every dollar of that fraud came from somewhere. It came from real people’s benefits and real taxpayers’ money.

Today, the threat has shifted again. “Deepfake-as-a-service” has made convincing video and persona fakes available to anyone willing to pay. According to Cyble, AI-driven scams surged 1,210% and deepfakes were involved in more than 30% of high-impact corporate impersonation attacks in 2025.

Figure 1: Deepfake attack stopped by ID.me. The deepfake disappears when the card is held in front of the face. Note the changes around the eye.

We covered this landscape in more depth in The Identity Fraud Landscape: 2026 and Beyond. The verification methods that worked until now cannot keep pace. That is why we are upgrading how we protect members using face matching.

How face matching works at ID.me

Face matching has always been part of remote identity verification. (A face is the biometric we use; throughout this post we use the terms interchangeably). Every high assurance verification involves comparing a member’s selfie to the photo on their ID, whether that comparison is performed by software in an unattended flow (sometimes called self-service or unsupervised), by a trained agent in a video call, or by a credentialing officer in person.

Presentation Attack Detection or PAD, identifies and blocks fake samples, like photos, masks, or videos, ensuring only live, authorized users access systems.

Under federal identity standards, Presentation Attack Detection (PAD) is required for ID.me’s remote IAL2 proofing flows that rely on remote biometric comparison or asynchronous visual comparison. The upgrades described below bring every ID.me verification into alignment with that standard.

Software-led matching, evaluated by the U.S. National Institute of Standards and Technology (NIST), performs more consistently across members than manual review and is significantly harder to deceive with deepfakes.

What is changing

Two upgrades will roll out across every ID.me verification pathway. Together, they harden our defenses against tactics being deployed by both individual fraudsters and organized crime rings.

What is a Sybil attack? A Sybil attack is when a person or criminal ring creates many fake accounts using stolen names and documents but the same underlying face. Each fake account looks legitimate on its own. Only by comparing selfies across accounts does the pattern become obvious.

1. Duplicate check to catch repeat fraud. 

ID.me will compare each new selfie captured during verification against a secure gallery of previously verified selfies — inside ID.me’s environment only. The purpose of this policy is to solve a very particular problem: detect Sybil attacks where one face is being used to create many fake digital wallets under stolen identities.

The stories of the Sareenas, Murats, and taxpayers in the opening of this post are the people Sybil attacks target. A duplicate check is the single most effective control against organized fraud rings operating against a network of our size.

We are not scraping social media. We are not searching outside databases. We are not sharing member images with third parties. The check exists solely to confirm that the same person has not already been verified under a different name and stolen identity.

A real-world Sybil attack: the same face used repeatedly to attempt to steal member’s wallets

2. PAD check in all pathways

Every remote proofing pathway will now involve a short video selfie that confirms a real, physically present member is on the other end of the camera. The check uses PAD to spot photos held up to a screen, deepfake videos, or lifelike masks. If the system cannot confirm a live person, it rejects the attempt. The check happens in seconds. PAD was previously present in the self-service or “unattended” flow, which accounts for the majority of ID.me verifications. Now it is also present for the remainder of the video reviews with trained agents.

What this means for members

For the members who rely on ID.me, the upgrades translate into something tangible: fewer false rejections for legitimate members, less repeat document uploading, and a process that works the first time more often.  

Why we are extending biometric retention

ID.me has always required member consent before capturing selfies or biometric information, and that remains true. What’s being upgraded is a standardized retention default. We are moving away from custom per-agency retention rules to a default of up to 12 months after account closure, with limited exceptions tied to compelled legal processes and confirmed or expected fraud (see full policy here)

Without this retention, an organized fraud ring can close a digital wallet, reopen with a different email and a stolen identity, and slip past the duplicate check. With retention we can detect repeat offenders who would otherwise quietly drain agency programs or individual’s accounts over months or years.

Our commitments to member privacy

We owe more than reassurance. We owe specifics. Here is what we will and will not do with a member’s biometric information:

  • We will not sell member selfies or any biometric data.
  • We will not share selfies with law enforcement databases.
  • We will not scrape social media or other external image sources.
  • We will not use selfies for advertising or for any purpose outside the verification, fraud-prevention, and wallet-protection uses described in our biometric privacy statement.
  • We will require member consent before any verified information is shared with the agencies a member transacts with.
  • We will continue to provide in-person verification, where supported by the agency, for members who need it.

This is your identity. We hold it on your behalf and with your permission.

  • See your consent disclosures and what we hold. Members can review consent disclosures and account information through the Privacy Rights Center.
  • Reach support. ID.me member support is available through the Help Center for any question about an account, a verification, or biometric data.

The agencies that partner with ID.me are entrusted with some of the most consequential services in American life — tax refunds, retirement benefits, healthcare access, unemployment relief, veterans’ services. The members who depend on those services deserve to know that these services and their identities are being protected against criminals who have grown more sophisticated every year. That protection is being built in a way that respects their consent and their privacy.

Agency partners with questions about how these upgrades affect specific programs should reach out to their ID.me customer support team. Members with questions about their digital wallet or biometric consent can contact ID.me support through the help center.

About the Author

Pavan Prasanna Kumar 

Principal Product Manager, Identity, ID.me

Pavan Prasanna Kumar leads the Identity Platform at ID.me, bringing deep expertise in artificial intelligence and machine learning to the role. He currently drives product strategy for Biometrics, Document Verification, and Persons across ID.me’s platform.

Before ID.me, Pavan was a Lead Product Manager at Meta, where he launched a new Reinforcement Learning–based recommendation model for the Facebook Feed. Earlier, as Head of Product for the AWS AI Computer Vision team, he owned end-to-end strategy for AWS’s computer vision portfolio and led the launch of Amazon Rekognition Face Liveness.

Pavan holds an MBA from Northwestern University’s Kellogg School of Management.

About the Author

Pavan Prasanna Kumar

More from this author

ID.me simplifies how individuals prove and share their identity online.

Resources
Resources

Copyright © ID.me, LLC. All rights reserved