.png)
This is part two of our four-part series on why digital credentials are the next identity primitive. You can read part one here.
Most identity verification still begins with a document. A passport, a driving licence, a utility bill. The user photographs it or uploads a scan, and the receiving organisation runs checks against databases, facial comparison algorithms, and pattern-matching tools.
The weakness is in the medium: these artefacts carry no cryptographic proof of origin. A JPEG of a passport has no verifiable link to the issuing authority, no signature to check, and no tamper-evident seal, so the receiving system cannot confirm programmatically that the document is genuine. Forgery is a design problem, built into the format.
The consequences run in two directions at once, trapping organisations in a loop that is hard to escape.
On the friction side, 68% of consumers have abandoned digital sign-up processes due to slow, intrusive, or document-heavy identity checks, up from 63% in 2020 and 40% in 2016. That abandonment carries a measurable cost: EUR 5.7 billion lost annually in abandoned financial services onboarding across the EU. Seventy percent of financial institutions globally lost clients in the past year due to inefficient onboarding.
On the fraud side, six percent of all documents processed in 2025 were flagged as fraudulent, roughly one in sixteen: a baseline fraud rate in a system that hundreds of millions of people use every year. Digital document forgeries now account for 57.46% of all detected fraud in Europe, overtaking physical counterfeits for the first time, with a year-on-year increase of 244%. AI-generated identity documents rose 281% in the past 12 months across Europe. Sophisticated fraud attempts increased 180% year-on-year, now constituting 28% of all fraud attempts, up from 10% in 2024.
Organisations face a bind: tightening verification increases abandonment and drives away legitimate customers, while loosening it lets more fraud through. Layered checking can only partly compensate, because the underlying medium was never meant to carry cryptographic assurance.
If document-based verification handles the front door, passwords handle everything after. They are the primitive for ongoing identity: logging in, authorising transactions, accessing services day after day.
Passwords are shared secrets. They sit in databases that can be breached, in browser autofill stores that can be compromised, and in human memory that defaults to reuse and simplicity. The average employee now manages 191 username and password combinations, according to industry research, and 24 billion compromised credential pairs are available on the dark web.
The same friction pattern appears here: 52% of customers abandon applications that take over 10 minutes to complete, and a significant share of that time goes to account creation, password rules, and multi-factor authentication. The average corporate employee receives roughly 37 "forgot password" emails per year, each one a small failure of the system and a possible opening for social engineering.
The attack surface is familiar: password resets can be intercepted; MFA fatigue attacks bombard users with push notifications until they approve one out of exhaustion; credential stuffing runs breached username-password pairs across thousands of services, exploiting the reuse that 191 passwords per person makes almost inevitable. Phishing, once crude, is now personalised and context-aware at scale.
Account takeover attacks in fintech increased by more than 800% year-on-year, according to industry data, a growth rate that reflects how cheaply and systematically these weaknesses can be exploited. Wherever passwords are the primary authentication mechanism, the economics tend to favour the attacker.
Document verification and password management feel separate because they sit in different parts of the organisation: onboarding versus IT security, different vendors, different budgets. In practice, they answer the same question in two forms: can this person prove who they are to gain access, and can they prove it again to keep access? Only the timing differs; the requirement is the same.
One line from industry research captures it: "Once you see it, identity is the invisible force enabling or preventing almost everything that happens in digital services." Working inside one silo obscures that. The IDV problem and the IAM problem are one problem, approached from different angles with different tools and similar blind spots. Any replacement has to cover both the initial proof and the ongoing proof in one coherent model.
The regulatory response has been extensive and well-intentioned. GDPR established data protection requirements. PSD2 introduced strong customer authentication for payments. PSD3 reached political agreement in November 2025, with compliance expected from the second half of 2027 to early 2028. eIDAS 2.0 entered into force in May 2024, requiring EU Member States to make digital identity wallets available by the end of 2026 and mandating acceptance by December 2027. DORA imposes operational resilience requirements on financial entities across the EU.
Each rule addresses real harm but stacks obligation on stacks that predate it. Document-based IDV and password-based IAM took shape before these duties, so every new layer adds cost and complexity to systems that already struggle at their core job.
The cost adds up. USD 72.9 million is the average annual spend on AML and KYC operations per firm globally, with UK institutions reporting USD 78.4 million. Individual banks spend between USD 60 million and USD 175 million annually on KYC reviews alone. Those figures reflect the operational load of running compliance on infrastructure that produces no cryptographic proof and needs extensive manual and automated checking to compensate.
Regulators see failures and tighten requirements; organisations add checks and layers; cost and friction rise while the underlying formats stay the same. The pattern feeds on itself.
Exploiting these weaknesses has always been possible; what has changed is how cheap and scalable an attack has become.
On the document side, AI has moved high-quality forgery from a skilled, expensive craft to something closer to a commodity. The five-fold increase in AI-generated document fraud year-on-year is one indicator; deepfake incidents rose over 700% in France alone since 2024, and generation techniques still outpace many detection stacks.
On the password side, AI-assisted phishing produces personalised, context-aware messages at a volume and polish that generic awareness training struggles to match. Credential stuffing stays automated and cheap. MFA bypass techniques improve as attackers model authentication flows more precisely.
Ninety-eight percent of fraud leaders in a recent industry survey said they were concerned about AI-enabled fraud.
These vulnerabilities long predate AI: documents lack cryptographic proof of origin, and passwords remain shared secrets. AI makes exploitation of those gaps scalable, affordable, and harder to spot. It is the force multiplier that pushes both systems past the point where incremental improvement alone can keep up.
The onboarding document check and the daily password login share structural limits, face the same class of AI-assisted attacks, and sit under the same compounding regulatory pressure. Treating them as separate problems invites a pile of separate fixes: better scanners, stricter password rules, more factors. Each mitigates a symptom while leaving the medium unchanged: a photographed document or a memorised secret still cannot supply the cryptographic assurance modern identity needs.
What replaces them needs to do both jobs: prove identity at onboarding and sustain that proof through every later interaction, with assurance at each step.
In the next post, we look at what replaces them: Every Interaction Is an Intent: How Credentials Unify Identity.
Have a question or want to talk about how Vidos can help? Reach out to our team of real-world practitioners today.
Author: Tim Boeckmann, CEO and co-founder of Vidos
