Business February 16, 2023

How Yoti can help combat digital injection attacks

profile picture Matt Prendergast 3 min read
Closeup of fingers typing on laptop keyboard

As use of online verification grows, there inevitably follows increasing temptation for bad actors to develop ways to exploit the process. As a provider of verification services we must show businesses, regulators and governments that we have robust anti-spoofing technology, checks and processes. An emerging but rapidly growing threat for verification services are digital injection attacks.

 

What are injection attacks?

Injection attacks are a form of attack on remote verification services. Direct attacks are the most common attempt to spoof systems. Examples of direct attacks are:

  • Paper image
  • 2D and 3D masks 
  • Screen image
  • Video imagery

Direct attacks are an attempt to spoof a verification system that a person is real, older, or someone else altogether. Our facematch and liveness detection technologies use layers of anti-spoofing to determine that the person is real (not a picture or mask, for example) and that they are who they say they are. 

An injection attack is an indirect attack and attempts to bypass liveness detection. It involves injecting an image or video designed to pass authentication, rather than the one captured on the live camera. It is a rapidly emerging threat to digital verification services. Using free software and some limited technical ability, a bad actor is able to overwrite the image or video of the camera with pre-prepared images.

 

How can Yoti help prevent injection attacks?

We have developed a patent-pending solution that makes injection attacks considerably more difficult for imposters. It is a new way of adding security at the point an image is being taken for a liveness or facematch check. 

There are two parts to this. As well as obfuscating the code, Yoti adds a cryptographic signature key. As such, a potential hacker needs to both reverse engineer the obfuscation and infer or guess the cryptographic signature key.

Yoti frequently changes the obfuscation and the signature key. This means that if the hacker were to reverse engineer the obfuscated code, by the time they have done so, the signature key will have changed, and vice-versa.

There remain ways to spoof this (not that we’d say how) but it significantly adds to the effort, time, skill and cost of spoofing verification checks, moving bad actors on to less secure opportunities. 

With Yoti, you can stop bad actors before they spoof your system by focusing on early detection of presentation and injection attacks.

If you’d like to learn more about our NIST approved liveness products, please do get in touch.

Related stories

An image of a woman holding a driving licence in one hand and her mobile phone in another.
Articles January 15, 2026

How we build our AI models

At Yoti, AI is not a general-purpose experiment. Instead, it is a set of purpose-built tools embedded directly into our identity, authentication and age verification products, designed to deliver secure decisions quickly while not collecting or processing unnecessary data. Rather than using large, general-purpose AI systems, we build and deploy small, specialised models that each solve a clearly defined problem. This approach gives our customers stronger security, better privacy outcomes, faster performance and greater confidence in how decisions are made.   How do our AI-based checks work? At Yoti, our approach is to use multiple models to perform very

#authentication #business
Matt Prendergast Matt Prendergast
5 min read
An image of a laptop screen displaying a Yoti Verified Call. Icons surrounding the main screen show the verified identities of each attendee.
Articles November 19, 2025

Introducing Yoti Verified Calls

Yoti Verified Calls is a new innovative service, designed to combat identity fraud and cyber attacks, while building trust during video calls. It enables businesses and individuals to verify the identity of attendees before or during video calls, reducing the risk of impersonation, deepfakes and unauthorised access.   The rising threat of deepfakes Barely a week goes by without a headline about deepfakes. Whether it’s a celebrity finding fake images of them circulating online, political leaders appearing in a deepfake video, or a member of the public scammed, the technology behind deepfakes is growing more accessible, believable, sophisticated and

#authentication #news
Yoti Yoti
4 min read
Zero trust authentication methods
Articles November 13, 2025

How strong authentication powers Zero Trust and protects against cyber threats

Until recently, organisational cybersecurity typically relied on a fortress mentality, by building a strong perimeter with firewalls and VPNs, and trusting everything inside. But in today’s digital world of cloud apps, remote work and hiring, supply chain integrations, virtual connections and sophisticated attacks, that approach is no longer enough. Once criminals breach the walls, they can often move freely and undetected. If a business can’t reliably confirm who’s accessing its systems, it leaves the door open for cyber criminals. When authentication is weak, malicious actors can: Steal employee or customer login credentials through phishing and use them to access

#authentication #business
Sofi Summers Sofi Summers
6 min read