KYC: Bypass age verification using generative video models

notmine13371 pts0 comments

KYC: Bypass age verification using generative video models

Security incident? Suspected breach?<br>09 71 18 27 69csirt@synacktiv.com

Skip to main content

Search

Switch Language

EnglishToggle Dropdown<br>English<br>French

RSS<br>Github<br>Twitter<br>Linkedin

Our offerPenetration Test / Red Team<br>Incident response<br>Reverse-engineering<br>Development<br>Products<br>CSIRT

Trainings<br>Join us<br>PublicationsPosts<br>Advisories<br>Resources

The company<br>Contact

RSS<br>Github<br>Twitter<br>Linkedin

KYC: Bypass age verification using generative video models

Written by<br>Kevin Tellier, Léo Desmonts - 06/07/2026 - in

Pentest

- Download

Historically reserved for the banking sector, the KYC (Know Your Customer) process is now making its way into many online services, driven by increasingly strict legislation on anonymity and age verification. To comply, platforms deploy significant measures aimed at guaranteeing the "proof of life" of the user behind their webcam or smartphone. However, the meteoric rise of generative video AI models completely reshuffles the deck, offering attackers formidable and accessible tools to fool these systems. The French PVID framework aims to counter this new threat.

This article establishes a state of the art of current verification mechanisms, before detailing how we used AI to successfully bypass the age verification system of a website relying on AWS Rekognition.

Looking to improve your skills? Discover our trainings sessions! Learn more.

Introduction

KYC (Know Your Customer) is a process that aims to link a physical person to a user by ascertaining their identity. Historically, this practice was mostly reserved for financial institutions. Today, it applies, and increasingly tends to apply, to more and more online services. The goal is to establish a relationship of trust: the company must know precisely who it is dealing with before providing a service. With the strengthening of digital legislation, KYC has become a mandatory step in the fight against crimes facilitated by the digital world, such as identity theft or money laundering. More recently, many countries have been reinforcing their legislative arsenal in order to make age verification mandatory for access to certain online services, with pornographic websites and social networks squarely in their sights.

This article seeks to establish a state of the art on KYC methods and existing bypass techniques. We will compare AI-based bypass solutions using local models and a low-cost infrastructure against a cloud equivalent (deepfake-as-a-service). We will close with a concrete example of bypassing age verification on an adult website. If it is mainly this part you are interested in, you can jump right to it.

The reference frameworks

To frame these verifications from a technical standpoint, several standards have been created. In France, ANSSI has set up the PVID framework (Prestataire de Vérification d'Identité à Distance — Remote Identity Verification Provider). It mandates "proof of life" tests to ensure that the user is physically present behind their camera and is not using a mere photo, a pre-recorded video or a mask.

At the European level, the eIDAS regulation serves as the framework. Its purpose is to harmonise practices across member states: a digital identity validated in one country must be recognisable throughout the European Union. Furthermore, the PVID framework is designed to meet at least the requirements of eIDAS.

Internationally, approaches vary by geographic region. The United States, for example, has no centralised framework. Obligations are risk-based and depend heavily on the sector of activity. One example of guidance is NIST SP 800-63, which concerns digital identity and focuses on the analysis of contextual data. In other countries, such as India with the Aadhaar system, the state uses a centralised biometric database to identify each citizen.

The stakes of KYC

For companies, the main stake is the balance between compliance and customer experience. On the one hand, complying with standards such as PVID is a strict legal obligation for certain activities, such as the AML-CFT (LCB-FT) framework imposed on the financial sector. On the other hand, KYC is the first point of contact with the user. If it is too complex or too long, it can create friction that may push the customer to abandon the process. The challenge is therefore to offer a verification journey that is both robust and smooth for the user.

On the user side, KYC is often perceived as a constraint, oscillating between security and privacy. In a world where digital identity theft is highly prevalent, these procedures guarantee that no one will be able to open a bank account or take out a loan in their name. However, this implies entrusting sensitive data (identity document, biometric data, etc.) to third-party platforms. The stake for the user is therefore trust: they accept the constraint of KYC on the condition that their data is protected and that the process is not...

verification user identity bypass framework using

Related Articles