What mobile identity verification is—and why adversarial tests matter
Mobile identity verification is the process of confirming that a person using a smartphone is who they claim to be by checking biometric traits, identity documents, and device integrity against automated security checks designed to block forged media, impostors, and AI-generated content. This discipline is under pressure from fast-improving deepfakes and injected media streams that try to fool facial recognition or document checks. In this context, adversarial testing security exercises move beyond lab accuracy scores to mimic how attackers behave in real life. Instead of evaluating only how often a system approves genuine users, these tests send waves of synthetic faces, manipulated videos, and replayed recordings to see which protections fail. For organizations that rely on mobile identity verification to open accounts, approve high-risk transactions, or grant access, the outcomes of such testing tell them how systems hold up when fraudsters fight back.
Inside Incode’s zero-bypass adversarial test against deepfakes
Incode Technologies released an Independent Adversarial Penetration Testing Report showing that its mobile identity verification flows recorded zero bypasses under sustained attack by cybersecurity firm SocialProof Security. According to SocialProof Security’s Rachel Tobac, the engagement involved hacking Incode more than 110 times across 13 distinct attack types, including hardware and software video injection, deepfake detection challenges, replay attacks, emulators, rooted devices, and manipulated identity documents. The test was scoped to model a “moderately capable external attacker” using a mix of physical artifacts, digital manipulation, and AI-assisted tools. On mobile, none of these attempts successfully broke through biometric checks. While browser-based web flows initially saw limited, repeatable success with certain injection attacks and mixed outcomes in some deepfake scenarios, Incode patched the issues during the engagement and then passed re-testing with no bypasses reported in the final assessment.
AI fraud prevention pressure is reshaping IDV benchmarks
Identity verification providers are facing rising demands to prove that their defenses work against AI-enabled fraud, not only against static datasets. Deepfakes, injected media, and AI-generated documents can now be produced quickly and cheaply, making traditional accuracy benchmarks feel incomplete. Businesses want to know how systems behave under live attack conditions, where fraudsters can iterate and adapt. This is driving a shift toward adversarial testing security as a core benchmark for mobile identity verification. Instead of accepting vendor-marketed accuracy numbers, clients expect independent testing firms to probe for weaknesses, report detailed failure modes, and confirm fixes. Incode’s decision to publish its full adversarial penetration test, including early browser issues and subsequent remediation, reflects this change in expectations. It suggests that transparency around AI fraud prevention performance—especially under simulated attacker pressure—will become a competitive requirement rather than a nice-to-have feature for IDV platforms.
Mobile vs. browser: what the results say about platform security
A key takeaway from the report is the gap between native mobile identity verification and browser-based flows. Incode concludes that native mobile IDV deployments provide stronger protection against modern fraud because mobile platforms offer tighter control over cameras, sensors, and device integrity. These constraints make it harder for attackers to inject fake media streams or tamper with the environment without detection. In contrast, browser-based environments allow more flexible media input selection, which SocialProof Security exploited to gain limited early penetration with injection attacks before fixes. Deepfake tests in the browser yielded mixed outcomes until remediation. After Incode addressed the issues, both mobile and web flows passed retesting with no bypasses, but the experience underlined how platform design affects AI fraud prevention. For organizations, the message is clear: critical onboarding or high-risk actions may be safer inside native mobile apps than in generic web sessions.
Raising the bar: third-party testing and future mobile security standards
The Incode–SocialProof engagement highlights how rigorous third-party adversarial testing is becoming a reference point for mobile security standards. When an external specialist is allowed to attack live systems, document every success, and verify remediation, buyers gain more confidence than from controlled demos or benchmark PDFs. Incode argues that “independent adversarial testing” should be the bar for identity verification vendors, not marketing-driven accuracy claims. This stance adds weight to a wider industry debate about how to validate mobile identity verification in an era of deepfakes and media injection tools. As more fraud attempts exploit AI, regulators, financial institutions, and digital platforms are likely to look for proof of deepfake detection and injection resistance under realistic conditions. Over time, that could push the market toward standardized adversarial testing protocols, where zero bypasses or clearly defined failure rates become table stakes for serious IDV providers.