You Can’t Trust Your Eyes Anymore. Trust Cryptography Instead.
lost in a single deepfake attack (Arup, 2024)
increase in deepfake fraud attempts (2023–2024)
to verify with Certifyd
The reality of deepfakes in the UK.
Deepfake protection with Certifyd works at the protocol level, not the perception level. Deepfake detection tools try to spot synthetic media — an arms race the detectors are losing. Certifyd takes a fundamentally different approach: instead of asking ‘does this face look real?’, it asks ‘can this person complete a cryptographic challenge on their registered device?’ A deepfake can synthesise any face and any voice, but it cannot possess the physical device that holds someone’s passkey. Bi-directional, device-bound authentication makes deepfakes irrelevant to identity verification.
In February 2024, engineering firm Arup lost over £20 million after an employee was deceived by a deepfake video call that impersonated the company’s CFO and other executives. The deepfakes were convincing enough to pass a live video conference. This was not a failure of training or awareness — the technology has simply surpassed the human ability to detect fakes.
Deepfake fraud has exploded. Attempts increased by 3,000% between 2023 and 2024. AI-generated candidates are appearing in recruitment video interviews. Voice cloning can replicate a person’s voice from a few seconds of audio. Real-time face-swapping tools are available for under £100. The tools that were science fiction five years ago are now consumer products.
Deepfake detection is an arms race that defenders are losing. Every detection algorithm trains the next generation of generators to evade it. Certifyd takes a fundamentally different approach: it doesn’t try to detect fakes. Instead, it proves authenticity through device-bound cryptographic authentication. A WebAuthn passkey is bound to a physical device — it cannot be cloned, transferred, or generated by AI. When someone verifies through Certifyd, they prove they possess the physical device registered to that identity. No video, no voice, no visual assessment — just cryptographic proof.
This is broken.
Here's why.
Deepfake technology can synthesise faces and voices convincing enough to fool trained professionals.
Deepfake detection tools are in an arms race with generation tools — and losing.
Video calls, the standard for remote identity verification, are no longer trustworthy.
AI-generated candidates, CEO fraud, and impersonation attacks are growing exponentially.
Simple verification.
Every time.
Both parties open Certifyd on their registered devices — no video or voice needed
Each person completes a cryptographic challenge through their device-bound passkey
The system confirms both identities through WebAuthn authentication — unforgeable, unspoofable
A tamper-proof record is created: who verified, when, and through which registered device
Ready to see it in action?
Book a demo or tell us about your needs.
“They created a voice model of his voice from public recordings. It sounded a bit like him, but knowing him well enough, I knew it wasn’t him. Most people wouldn’t.”— Cybersecurity professional, 20 years experience
Common questions.
Certifyd doesn’t try to detect deepfakes — it makes them irrelevant. Instead of analysing whether a face or voice is real (an arms race), Certifyd verifies identity through device-bound cryptographic authentication. The person proves they possess the physical device registered to their identity by completing a passkey challenge. A deepfake can generate any face or voice, but it cannot possess someone’s physical phone. If the person can’t complete the cryptographic challenge, they are not who they claim to be.
Device-bound authentication means the person’s identity is tied to a specific physical device through WebAuthn passkeys. The private key is stored in the device’s secure enclave (TPM chip or Secure Enclave) and never leaves the device. Authentication requires the physical device plus biometric or PIN unlock. This creates a chain of trust: the device proves the identity, and only the legitimate owner can unlock the device. No video, no voice, no screenshots — just hardware-backed cryptographic proof.
Possessing the device alone is not enough. The passkey requires the device owner’s biometric authentication (fingerprint, face ID) or PIN to complete the cryptographic challenge. A stolen device without the owner’s biometric is useless for verification. Additionally, devices can be remotely wiped and identities can be revoked through Certifyd’s Organisation management. The security model is: something you have (the device) plus something you are (biometric) or something you know (PIN).
If your business conducts video calls, processes applications remotely, makes financial decisions based on verbal instructions, or employs people you haven’t met in person — yes. Deepfake technology is democratising impersonation. The Arup attack cost £20 million from a single video call. AI-generated candidates are appearing in recruitment pipelines. CEO fraud via voice cloning is targeting businesses of all sizes. Device-bound authentication is the only verification method that deepfakes cannot defeat.
Explore more use cases.
Related Solutions
Related Reading
External Resources
Verify identity beyond what deepfakes can fake
Book a demo to see how Certifyd works for your team, or tell us about your verification needs and we'll get back to you within 24 hours.
Read: The Arup Deepfake Attack