In 2018 we picked Identy as the biometric capture partner for WhoYou. In March, the U.S. Department of Homeland Security published the results of its Remote Identity Validation Rally, and Identy posted a 0% Attack Presentation Classification Error Rate. We thought it was worth explaining why we made the call we did back then, and what the new results mean for the customers running on our stack today.
Why Identy
We had a view about where biometric verification was going to fail. By 2018, decision-layer matching was already well established. The capture layer was not. Anyone trying to break a biometric check was going to attack the camera feed, the device, the seconds between the user and the system. That is where fraudsters had been operating, and it is the same gap that AI-generated deepfakes have since widened.
When we evaluated potential partners, Identy was building exactly the kind of component we were looking for: hardened capture, passive liveness running on the device, and injection protection at the camera layer. It was a capture-layer component that sat earlier in the verification pipeline, before any matching logic ran.
We integrated it. Every WhoYou biometric check has run on the WhoYou and Identy stack since.
What the DHS RIVR confirmed
The Remote Identity Validation Rally is run by DHS in partnership with the Maryland Test Facility. It puts vendors through three categories of presentation attack, from printed photographs through to AI-manipulated synthetic media. The evaluation is independent, the methodology is public, and the results are published.
Identy recorded a 0% APCER across the entire evaluation. No spoofing attempt was accepted, in any of the three attack classes. Identy also ranked first on transaction times and on user satisfaction in the rally.
You can read the published results on the Maryland Test Facility site. Identy’s press release has the technical breakdown.
What it means for our technology
The WhoYou and Identy stack runs four defence layers at every biometric verification: passive liveness detection, capture process protection, injection prevention, and dedicated deepfake detection. They’re independent layers, each handling a class of attack, and they run in real time during the capture window.
That architecture has been the way our biometrics work for eight years. The DHS result didn’t introduce anything new on our side. It validated the choices we made in 2018.
What it means for our customers
A few things worth flagging if you’re running WhoYou in your onboarding flow. Your customer verification has been independently tested against the kinds of attacks AI tools are putting in front of every verification system right now, and you can cite a public methodology and a public outcome. Your FATF, FICA, and POPIA conversations have new evidence to draw on. The deepfake threat is here. The architecture you’re relying on has been tested against Class C attacks, the AI-manipulated synthetic media category, and it held.
“We picked Identy back in 2018 because they were going after the capture moment. We always thought that’s where verification would get tested hardest. The DHS result tells us we got that call right, and our customers can now point to a public record when they need to prove what’s sitting in front of their onboarding flows.”
Craig Hills, Managing Director, WhoYou
What’s next
Nothing changes about how we run biometrics for our customers. The stack is the same one that processed last month’s verifications, and it will process this month’s. We’ll keep extending defence-in-depth across the rest of our product surface, and we’ll keep working with Identy as the capture partner.
If you want to talk through what the DHS-validated stack looks like in your verification flows, get in touch. You can also read more about the combined approach on our biometrics page.
