Incode Achieves Zero Bypass in Biometric Testing Against Real-World Attacks
Severity: Low (Score: 18.8)
Sources: www.incode.com, Biometricupdate
Published: · Updated:
Keywords: socialproof, incode, mobile, zero, bypasses, testing, identity
Summary
Incode Technologies announced that its mobile identity verification system successfully passed independent adversarial penetration testing by SocialProof Security, achieving zero mobile bypasses against various real-world fraud techniques. The testing included 13 distinct attack types, such as deepfakes, injected media, and AI-generated documents. The results indicate that Incode's mobile authentication flows are resilient to modern fraud tactics, while browser-based flows showed some vulnerabilities that were promptly addressed. The report emphasizes the importance of independent testing over vendor-marketed accuracy metrics, highlighting a growing industry trend towards transparency in identity verification security. Incode's findings contribute to ongoing discussions about the security differences between native mobile and browser-based identity verification systems. Key Points: • Incode's identity verification system achieved zero mobile bypasses during independent testing. • Testing included 13 attack types, focusing on deepfakes and injected media. • The results highlight the effectiveness of mobile ID verification against modern fraud techniques.
Detailed Analysis
**Impact** Mobile identity verification users across sectors relying on Incode’s biometric authentication are affected, with the system demonstrating resilience against over 110 adversarial attempts spanning 13 attack types. The testing simulated real-world fraud scenarios including deepfakes, injected media, and AI-generated documents, indicating strong protection for organizations using Incode’s mobile flows globally. Browser-based verification showed some early vulnerabilities, but these were promptly remediated, reducing operational risk related to identity fraud and synthetic identity attacks. **Technical Details** The attack vectors tested included deepfakes, hardware and software video injection, replay attacks, emulators, rooted devices, manipulated identity documents, and injection attacks. The adversarial testing was conducted by SocialProof Security simulating a moderately capable external attacker using physical artifacts, digital manipulation, and AI-assisted tools. No CVEs or specific malware were mentioned, and no indicators of compromise (IOCs) were provided. The kill chain stages tested primarily involved initial access and credential spoofing attempts through biometric bypass techniques. **Recommended Response** Organizations should prioritize deploying native mobile identity verification flows over browser-based methods due to stronger platform constraints and device-integrity guarantees. Continuous adversarial testing and prompt remediation of identified vulnerabilities are recommended to maintain resilience against injection and AI-enabled fraud attacks. Monitoring for injection attack patterns and deepfake attempts in browser environments should be implemented until these flows achieve parity with mobile security. No specific patches or IOCs were provided for immediate blocking.
Source articles (2)
- Incode mobile identity verification posts zero bypasses in adversarial testing — Biometricupdate · 2026-05-29
Incode Technologies has released its Independent Adversarial Penetration Testing Report, which shows zero mobile bypasses on biometric testing by cybersecurity firm SocialProof Security , using attack… - Pentest Socialproof — www.incode.com · 2026-05-29
Zero mobile bypasses against real-world fraud attacks Incode’s Identity Verification system was independently tested by the cybersecurity firm SocialProof Security using real-world attacks like deepfa…
Timeline
- 2026-05-29 — Incode announces pentest results: Incode reveals zero mobile bypasses in independent testing by SocialProof Security, validating the robustness of its identity verification system against real-world attacks.
- 2026-05-29 — SocialProof Security conducts testing: SocialProof Security tested Incode's system against various attack methods, confirming zero successful bypasses on mobile authentication flows.