The threat landscape around identity is no longer one-dimensional. It is evolving in a critical way. Fraud is no longer driven solely by fake or altered documents, where technical weaknesses can be identified and addressed through traditional controls. Increased risk comes from genuine, valid credentials obtained under false pretenses—so-called genuine but fraudulently obtained documents. Imagine someone coerced or manipulated into authenticating with their government-issued ID and a biometric (face or fingerprints-based authentication). The identity is real. The document is genuine. The biometric may even match. And the transaction is still fraudulent.
The scale of this issue is significant. In their most recent 2023 report, the Bureau of Justice Statistics reported 23.9 million victims of identity theft in 2021 (about 9% of U.S. residents age 16 or older). At the same time, industry reporting from Intellicheck suggests that invalid or misused IDs remain the “primary keys” used to access systems, with over two hundred suspicious IDs detected every hour across verification transaction. Together, these signals point to a core risk: when a genuine identity document is obtained fraudulently (or used in a way the issuer never intended) it can be far harder to detect than a traditional counterfeit.
Many organizations are seeing this shift firsthand. Fraudsters are increasingly using legitimate identities (stolen identities, synthetic identities, or credentials that were improperly issued) to pass onboarding and verification controls. That creates a practical problem: compliance teams may approve applicants who appear authentic, while the financial and operational damage shows up later as fraud losses, account takeovers, chargebacks, or regulatory exposure. Multiple industry sources also report that identity fraud incidents are rising year over year, with millions of cases reported annually and losses continuing to grow at double-digit rates. In other words, the newest “clean” identity risks often look legitimate at first, then fail later, after an account is opened, a claim is paid, or a service is delivered.
The implications extend beyond financial loss. Individuals whose identities are misused may spend months resolving fraudulent activity, repairing credit, restoring account access, and addressing reputational harm. For organizations, the erosion of trust in identity systems (particularly those tied to government-issued credentials), introduces systemic risk. When genuine documents can be fraudulently obtained or misused, the overall identity assurance model weakens, increasing reliance on secondary signals such as behavioral analytics.
Addressing this issue requires a larger framework for how identity assurance is defined and implemented. Efforts to find the ‘wolf’ in the system must be balanced with stronger controls to limit the wolf from getting inside in the first place. Identity assurance must move beyond one-time document authentication at onboarding toward stronger integrity across the entire identity lifecycle; stronger products based on weak evidence and/or weak verification processes that are only required to enter may actually degrade the system. In addition to strengthening issuance controls and repeated authentication controls, this framework must include implementing multi-layered verification (combining document, biometric, and behavioral signals), and monitoring for anomalies after enrollment (like the NVIDIA blog post). Collaboration with government bodies and organizations such as DSA, is also essential to advancing secure issuance practices and enabling effective data sharing. While many efforts remain focused on detecting fake IDs, an equally urgent challenge is recognizing when a real identity should not have been trusted in the first place.
Mahos Bourlai, DSA Board Member
