Published 2026·05·26
Author Valentin Quelquejay

The future of strong auth is not just another selfie

Thesis

Remote verification still leans too hard on camera input: a face, an ID document, a liveness gesture. That was a reasonable primitive when attacks were crude. It is becoming a bad one as synthetic media gets cheaper, better, and easier to inject.

Remote identity verification has a primitive problem.

Most systems still treat camera input as evidence of reality: a face, an ID document, a liveness gesture. That was a reasonable assumption when the main attackers were using printed photos, replayed videos, or crude spoofing tools. It is becoming a bad assumption in a world where synthetic media can be generated, transformed, and injected into the capture pipeline.

Generative AI has changed the economics of forgery. Creating a convincing fake document, face image, or synthetic video no longer requires a specialist. The tooling is becoming cheaper, better, and more accessible every month. [1]

Deepfakes are not perfect. But that is the wrong comfort. The question is not whether every fake can fool every system today. The question is what happens when the cost of producing realistic fake inputs keeps trending toward zero.

Visual trust is brittle

This matters because many "strong authentication" flows are still built on visual trust:

  1. Take a picture of your ID.
  2. Take a selfie.
  3. Turn your head.
  4. Blink.
  5. Look into the camera.

These flows worked reasonably well when the threat model was simpler. But remote biometric authentication has three structural weaknesses.

First, most consumer cameras are weak sensors. A normal phone or laptop camera captures a 2D projection of a 3D person under uncontrolled lighting, exposure, compression, and noise. That makes liveness checks hard to get right consistently. Even passive liveness, the simplest case of deciding from a static image whether a real person is in front of the camera, is unreliable on consumer hardware at scale. [2]

Second, the verifier does not control the device. In a remote flow, the system has to trust that the camera feed represents physical reality. Challenge-response prompts like "turn your head" or "blink" were the industry's answer to that problem, but they no longer settle it: attackers can use virtual cameras, modified devices, or injected video streams to bypass the physical camera entirely and answer the prompts with a real-time deepfake. [3]

Third, the environment is not controlled. Unlike in-person verification, remote auth happens in bedrooms, cars, offices, airports, and low-light rooms. Every liveness challenge has to balance fraud resistance against user friction.

As synthetic attacks improve, providers respond by making liveness checks stricter: more prompts, more movement, more retries, more false rejects, and ultimately more customer friction. Security improves by making the product harder to use. We believe that is not a stable endpoint.

The issue is not that face biometrics are useless. A selfie can still be part of a strong authentication flow. The issue is that a selfie should not be the only trust primitive.

Proof beats appearance

Strong authentication needs to move from "does this look like the right person?" to "can this user prove control of hard-to-forge signals?"

Those signals may include user- or device-bound secrets, motion, behavior, biometrics, context, and physiological signals. None of them is perfect alone. The point is composition.

And this is already how security usually improves. We combine independent factors so that compromising one layer is not enough.

  • Something you know.
  • Something you have.
  • Something you are.

But in practice, strong auth often collapses at the recovery layer.

Recovery is the floor

A user loses their phone. They forget a password. They change devices. They need to recover access to a financial account, crypto wallet, or high-value service.

If recovery falls back to email, SMS, or security questions, then the whole system inherits that weakness. Your authentication is only as strong as your weakest recovery path. [4] [5]

Passwords had a similar problem. Humans are bad at creating and remembering high-entropy secrets, so they reuse weak passwords, write them down, or fall for phishing. Password managers improved this by generating unique secrets per service. That is excellent for account security, but it also fragments identity.

For strong authentication, we often need the opposite: a way to authenticate the same person across high-risk contexts without forcing them to leak more personal data every time.

That is the hard problem.

The next layer is composable

The future of strong auth should be multi-factor, adaptive, and privacy-preserving.

A better system should be able to combine different signals depending on the risk of the action. The system should become stronger when the action becomes more sensitive. This means moving away from a single biometric, a single liveness model, a vendor-specific risk score, or just another selfie prompt.

Critically, raw private signals should not need to leave the user's device. When data must be shared, it should be minimized and covered by explicit privacy guarantees. [6]

This is where zero-knowledge proofs become interesting. Not as a buzzword, but as a practical way to prove authentication-relevant facts without turning every login or recovery flow into another data collection event. A user should be able to prove that the right signals are present without exposing the underlying signals themselves.

What we are building toward

At Rebellion Systems, this is the direction we are building toward: malleable, ZK-based authentication that can combine multiple factors while preserving user privacy. The future of strong auth is not "no selfies ever" or "biometrics are dead," but a realization that visual evidence alone is no longer enough.

We believe the next generation of authentication will not be won by asking users to take a slightly better selfie. It will be won by systems that can privately prove possession, behavior, recovery intent, and other authentication-relevant signals in a way that is much harder to fake, harder to steal, and harder to replay. The future of strong auth is not just another selfie; it is proof.

References

  1. Sumsub, Identity Fraud Report 2025-2026, November 2025.
  2. M. Ngan, P. Grother, and K. Hanaoka, Face Analysis Technology Evaluation (FATE) Part 10, NIST Internal Report 8491, September 2023.
  3. iProov, Threat Intelligence Report 2024: The Impact of Generative AI on Remote Identity Verification.
  4. FBI Internet Crime Complaint Center, Criminals Increasing SIM Swap Schemes to Steal Millions of Dollars from US Public, February 2022.
  5. J. Bonneau, E. Bursztein, I. Caron, R. Jackson, and M. Williamson, Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google, WWW '15.
  6. E. Podda et al., The impact of zero-knowledge proofs on data minimisation compliance of digital identity wallets, Internet Policy Review, vol. 14, no. 3, 2025.
Valentin Quelquejay
About the author

Valentin Quelquejay

Valentin is co-founder of Rebellion Systems, where he works on AuthenSee and authentication systems that make trust harder to fake without turning users into permanent databases.

More from Valentin