Account takeover — where a fraudster gains control of a legitimate user's account — has become the dominant form of online fraud, and the trend is accelerating. Industry data from 2025 shows ATO attacks increasing at more than double the rate of the previous year, driven by a convergence of factors that have made stolen credentials both abundant and actionable at scale.

The supply side of the equation is straightforward. Billions of username-password combinations are available on dark web marketplaces, harvested from the steady stream of data breaches that show no sign of slowing. Credential stuffing tools — software that systematically tests these stolen combinations against target platforms — have become commoditised, requiring minimal technical skill to deploy. An attacker can purchase a million email-password pairs for the price of a restaurant meal and run them against a banking login page overnight.

The demand side is equally clear. A compromised account at a financial institution, e-commerce platform, or cryptocurrency exchange represents immediate monetisable value. The attacker can drain funds, make purchases, redirect shipments, or leverage the account's trusted status to conduct further fraud. Unlike new account fraud, which requires building a synthetic identity from scratch, account takeover exploits the trust and history that the legitimate user has already established.

Multi-factor authentication has been the standard defensive response, and it does raise the bar. But the bar has not been raised high enough. Real-time phishing kits that intercept both passwords and one-time codes are now widely available. SIM-swapping attacks reroute SMS-based authentication codes to the attacker's device. And social engineering — calling the victim's mobile carrier to transfer their number — remains effective despite industry awareness campaigns.

The fundamental problem is that knowledge-based and possession-based authentication factors can both be stolen. A password is knowledge that can be phished. A phone is a possession that can be SIM-swapped. An email is a communication channel that can be compromised. Any authentication system that relies exclusively on factors that can be transferred from the legitimate owner to an attacker is inherently vulnerable.

Biometric authentication addresses this by introducing a factor that cannot be transferred. A person's face, fingerprint, or iris pattern is inherent — it belongs to them and cannot be handed over, stolen, or phished in the way a password or OTP can. When a high-risk action triggers a biometric verification check, the system confirms that the person currently using the account is the person who owns it. No credential to steal. No code to intercept.

The implementation challenge is ensuring that the biometric check itself is resistant to spoofing. Presentation attacks — holding up a photograph, wearing a 3D-printed mask, or using a real-time deepfake face swap — are the attacker's response to biometric authentication. Effective defence requires liveness detection that confirms the biometric input is from a live person, combined with deepfake detection that identifies synthetic overlays.

For platforms experiencing rising ATO rates, the path forward combines biometric step-up authentication for high-risk actions with continuous session monitoring. deepidv offers both, providing real-time identity verification that stops account takeover at the moment of attack.