Digital Identity as Defense in Depth
Mikhaylo Pavlyuk9 min read·Just now--
A Doctrinal View of Trust Protection in Financial Services
For too long, the financial sector has treated digital identity as a collection of separate tools. Liveness checks, deepfake detection, anti-fraud rules, manual review, risk scoring — each is discussed as if it were a self-contained answer to the threat landscape. That creates a false sense of engineering sufficiency: connect enough modules in a single chain and the result will somehow become a robust system.
Operational reality points the other way. Attacks are becoming more sophisticated, bypass techniques evolve quickly, and the environment in which remote identity verification takes place remains fundamentally untrusted. The user’s device, software environment, media capture path, and the transmission chain itself are not fully controlled by the service provider. NIST states this plainly: in remote identity proofing, the applicant’s device and environment are outside the provider’s control.
That is the real issue. The constraint is not a shortage of technology. It is the way the defense is conceived. When digital identity is designed as a stack of barriers, the result is usually a brittle structure with high operational cost and limited resilience. Infrastructure this critical requires a different logic. Not a fence, but defense in depth.
1. The real question is not the detector — it is the architecture
The market’s central mistake is that it argues about the quality of individual mechanisms when the real question is the structure of the system as a whole. One vendor promises stronger deepfake detection, another more accurate liveness assessment, a third better anomaly detection. All of those questions are secondary if the protection model itself is linear.
A linear defense is predictable. It assumes the adversary will hit the first barrier, be identified, and be stopped. That assumption is convenient in a product deck and weak in an actual contest. An attacker does not have to follow the path the defender expects. The attacker looks for overload, inconsistent rules, gaps between signal and response, and weak seams between modules. That is where breaches happen.
Military thinking starts from a different premise. Any line can be probed. Any sensor can be deceived. Any process can come under pressure. Resilience, therefore, does not come from the perfection of a single line. It comes from the way the depth of the defense is organized.
Sun Tzu captures this without any technological vocabulary, but with complete relevance to the problem at hand: success depends not simply on striking hard, but on the configuration of the position, awareness of the situation, control of timing, and the ability to force the opponent into an unfavorable shape of conflict. In digital identity, that means something very concrete: the side that prevails is not the one with the “best detector,” but the one that forces the attacker to spend more resources, expose more signals, and lose momentum at each successive layer.
2. The military logic of defense
In military doctrine, defense is not passive position-holding. Its purpose is broader: disrupt the attacker’s plan, slow the advance, preserve one’s own forces, buy time, and create conditions for subsequent action. Defense is valued not for immobility, but for its ability to redistribute pressure and deny the attacker freedom of maneuver.
That is why strong defense depends on several core properties: depth, echeloning, early warning, concentration of force on the threatened axis, the presence of reserves, and the ability to counteract. A single line cannot accomplish this. Multiple layers are required, each with a distinct role.
The forward line meets the attack and prevents an immediate breakthrough. Screening, observation, and early warning reduce the element of surprise and reveal the likely direction of the main effort. Reserves are not spread thin across the entire frontage. They are held back for the critical sector, where reinforcement or a counterstroke is actually needed.
The familiar heuristic that an attacker needs substantial local superiority to break through a prepared defense matters here not because of the ratio itself. What matters for digital identity is the principle behind it. A resilient system is built so that compromise requires more than one successful bypass. It must demand meaningful superiority in time, resources, preparation, infrastructure, and persistence. If evasion is cheap, quiet, and repeatable, no “technology stack” will save the system.
3. The battlespace of remote identity
Remote identity verification in financial services takes place on terrain the defender does not control. That is not an edge case. It is the baseline condition. A bank or fintech platform does not fully control the customer’s device, cannot assume the user’s software environment is trustworthy, and cannot treat the media capture path as inherently reliable.
That is exactly why current guidance from NIST and European bodies does not revolve around a single control point. Instead, it emphasizes multiple classes of safeguards: presentation attack detection, liveness checks, analysis of manipulated or synthetic media, assessment of the execution environment, and protections for the digital transmission path. This is no longer a decorative layer around one model. It is the framework of a defense.
4. The first line — repelling the direct attack
The first line in digital identity is the protection of the live session at the moment of direct engagement with the user. Its mission is narrow and uncompromising: repel the direct attack on identity.
At this line, the system relies on presentation attack detection, liveness assessment, identity substitution detection, deepfake detection, and challenge-response flows in which the user is asked to perform an action in response to a prompt. NIST requires presentation attack detection for remote biometric verification and recommends random prompts to increase the likelihood of exposing manipulated or synthetic video. ENISA identifies photo attacks, replay from a screen, mask attacks, and deepfakes among the primary threats in this space.
The function of the first line does not need rhetorical embellishment. The question is simple: is the system interacting with a real person, or with a method of simulation?
This is also where the market most often makes a conceptual error. The first line is expected to deliver final truth. It is treated as the sole center of gravity for the defense. That is a mistake. The forward line must absorb and repel the main direct pressure. It is not supposed to win the entire campaign by itself. The moment the first line is treated as self-sufficient, the system becomes vulnerable to everything that falls outside the expected scenario.
5. The second echelon — reconnaissance and counterintelligence
If the first line answers the question, “What is happening in this session?”, the second echelon answers a different one: “What is happening across the wider field?”
In digital identity, this layer is built around the accumulation and analysis of weak signals. The point is not instant judgment. The point is to detect signs of organized pressure. That includes spikes tied to IP ranges and autonomous systems, repeated device fingerprints, signs of virtual camera use, anomalies in the video pipeline, unusual runtime environments, repeated background patterns, suspicious connection routes, and other indicators of tampering with the digital path.
NIST recommends technical controls that increase confidence that media originates from a genuine sensor, including the detection of virtual cameras, emulators, and compromised devices. ENISA separately highlights the rise of injection attacks against the digital path and stresses that defenses must address both presentation attacks and injection attacks.
The role of this layer is analogous to military reconnaissance and counterintelligence. It does not need to block every deviation immediately. It needs to build a picture of the fight.
That distinction matters enormously in financial services. False rejection is expensive. A user may obscure or replace the background for privacy reasons. An unusual video stream may be explained by the device, browser, or corporate environment rather than malicious intent. Turning every anomaly into an automatic denial damages the customer journey while flooding the system with noise.
Some signals, therefore, should function as reconnaissance indicators. They should elevate risk, increase scrutiny, and alter downstream handling, but not necessarily trigger an immediate block. In military terms, this is not an order to fire at every shadow. It is the disciplined recognition of signs that pressure is building, resources are concentrating, and the direction of attack may be shifting.
6. The third echelon — reserve and reinforcement at the critical sector
Without reserves, a defense is not mature. It is simply a distributed vulnerability.
In digital identity, reserve capacity appears as the ability to harden policy quickly and precisely where pressure has ceased to be isolated and has begun to take on a systemic character. When a particular attack vector becomes widespread, the defense must be able to convert some soft signals into blocking ones, raise thresholds, increase the weight of specific indicators, restrict suspicious network segments, bring in manual review, and activate more demanding user confirmation flows.
This is what concentration of effort on the main axis looks like. Not maximum hardness everywhere. Not blanket tightening across the board. Force is applied at the point where the attacker is building momentum and where the consequences of penetration are most serious.
That logic aligns with NIST’s risk-based approach and with ENISA’s practical guidance on responding to an evolving attack landscape. But the more important point is structural: only the presence of reserve allows the system to distinguish between noise and an actual offensive, and to avoid wasting energy on indiscriminate tightening across the entire line.
Sun Tzu is useful here not as a source of quotations, but as a source of principle. The side that can identify the main axis of attack does not need maximum defensive density at every point. It needs to recognize, in time, where the outcome of the engagement will be decided.
7. Why a stack of barriers loses to an echeloned defense
The market’s default model is mechanical. A new bypass appears — another detector is added. Another threat follows — a new rule is layered on top. Then manual review is bolted on, anti-fraud is tightened, and an extra risk flag is inserted into the flow. The result is a system that looks dense, but lacks internal discipline.
An echeloned defense begins with a distribution of roles.
The first line repels the direct attack on identity.
The second echelon identifies the pattern of pressure, the scale of the campaign, and the signs of preparation.
The third echelon reinforces the sector where pressure has become systemic.
In that structure, the defense stops demanding the impossible from any single model. No component has to be universal or infallible. Each component has to do its job within the larger system of conflict.
That changes the economics of protection as well. Instead of endlessly accumulating loosely connected filters, the organization builds a managed architecture — one capable of distinguishing between real attack activity, background noise, and conditions that justify targeted reinforcement.
8. What this means for financial services
For banks, brokerages, payment platforms, and insurers, this is not only a question of formal security. Two forms of loss are in tension at all times: direct fraud loss and the damage caused by breaking the legitimate customer path.
A linear and poorly integrated defense usually harms both. It creates friction for honest users while remaining permeable to organized attackers who do not strike frontally, but move through the seams between layers and processes.
The practical conclusion follows directly. A strong digital identity system should not be defined by maximum rigidity. It should be defined by control. Its value lies not in the sheer number of filters, but in the ability to distribute functions correctly, read changes in the situation, and apply reinforcement at the threatened sector without collapsing the overall customer journey.
9. Conclusion
Digital identity in financial services requires more than a bundle of technologies. It requires a defensive architecture.
The first line must repel the direct attack on identity in real time — presentation attacks, impersonation, deepfakes, and straightforward bypass attempts. The second echelon must perform the function of reconnaissance and counterintelligence — detecting spikes in risk, signs of campaign preparation, and the likely direction of the main effort. The third echelon must function as reserve — rapidly strengthening the defense at the point where attack activity shifts from isolated to systemic.
Reliability in this domain does not come from a universal detector, nor from the mechanical accumulation of filters. It comes from depth, role separation, and the ability to manage adversarial pressure across the full defensive formation.
In the language of military theory, that is what a prepared defense looks like.
In the language of financial services, it is the only realistic way to protect digital trust in an untrusted environment.
