ISJ hears exclusively from Arif A. Mamedov, CEO, Regula Forensics, Inc.
Airports are quietly becoming one of the most contested identity battlegrounds in critical infrastructure.
As biometric systems spread across staff access, passenger processing and remote enrollment, the identity layer underpinning airport security is expanding faster than many organisations can reliably control.
Fraud is no longer episodic or peripheral. It is persistent, adaptive and designed to exploit the gaps between systems rather than defeat a single control outright.
Recent survey data shows that while aviation organisations increasingly recognise identity verification as a core security function, many airport environments remain exposed – not because tools are missing, but because identity controls are fragmented, unevenly deployed and difficult to orchestrate under real-world conditions.
Identity verification in aviation: The pressure is rising
Aviation is a highly identity-sensitive sector, balancing operational efficiency with controls that directly affect physical safety and border compliance. Fraud techniques continue to evolve, while passengers and staff still expect fast, low-friction journeys.
Although biometric technologies are now widely piloted, gaps remain in how identity verification (IDV) is implemented, integrated and scaled across airport operations.
The findings are drawn from Regula’s Identity Verification 2025 study, covering airlines, airports and aviation-adjacent businesses across diverse regulatory environment, and indicate that these challenges cut across regions and operating models.
The identity threats aviation encounters most
One finding is unequivocal: None of the respondents reported avoiding identity fraud over the past year. Social engineering and biometric fraud affect the largest share of organisations, reported by 34.48% and 32.18%, respectively.
In operational terms, social engineering attacks typically target people rather than systems. Staff may be pressured to bypass checks through fake internal messages, urgent passenger scenarios or compromised accounts later paired with synthetic identities.
These attacks rarely occur in isolation and are often combined with document manipulation or biometric spoofing to bypass remaining controls.
In aviation environments where biometric checks are used for remote enrolment, staff access or unattended workflows, biometric fraud adds a second layer of pressure.
Tactics range from replaying captured selfies or video during liveness checks to exploiting older systems with printed images, masks or more advanced props in higher-risk scenarios.
As face and voice biometrics become more widely deployed, attackers increasingly probe weaknesses in liveness detection and presentation attack detection (PAD), rather than attempting to defeat the entire identity process outright.
How aviation wants to verify identities
The data suggests a clear move away from document-only checks toward layered identity verification. When asked to describe an ideal IDV stack, respondents prioritised biometric verification first, followed by fraud analytics and dynamic threat prevention.
The underlying intent is consistent across organisations: Bind a real person to a credential with high confidence, interpret fragmented signals as meaningful risk and adjust verification requirements dynamically rather than applying static rules to every interaction.
Biometrics for aviation – and airports in particular
Biometrics ranks highly because identity in aviation is inseparable from physical access, restricted infrastructure and cross-border operations.
Passengers and staff are already accustomed to biometric touchpoints, reducing friction when additional checks are introduced at boarding, staff access points, or crew validation stages.
Biometrics also bridges digital and physical environments. The same biometric trait can be used across onboarding, system access and physical entry, limiting reliance on credentials that can be shared, stolen or forged.
Unlike documents, biometric traits remain consistent across borders, even as passport formats and issuing authorities vary widely by route.
What aviation teams are moving toward
Most organisations are evolving existing document-first processes rather than replacing them entirely.
The near-term focus is on deploying stronger biometrics with PAD in the highest-risk areas – staff onboarding, contractor access, crew validation and airside entry – before expanding to high-volume passenger flows.
There is also growing recognition that biometrics and documents must function together. A clean selfie without a trusted document provides limited assurance, just as document checks without liveness leave clear gaps.
Increasingly, biometric events are being treated as security signals – inputs for investigations, analytics and continuous tuning of controls, rather than simple pass-or-fail gates.
Fragmentation as a direct security risk
Fragmentation is emerging as a security risk in its own right, not merely an operational inconvenience.
More than 78% of respondents report fragmented IDV stacks, with disjointed tools and workflows creating delays, inconsistencies and blind spots that attackers can exploit. Each additional vendor or manual handoff increases complexity and weakens oversight.
In practice, fragmentation manifests as difficulty automating IDV, poor integration between tools, uneven user journeys, slower verification and higher operational costs.
Without stronger orchestration linking document checks, biometrics, screening results and manual review into a single flow, consistent enforcement and effective automation remain difficult to achieve.
Budgets reflect urgency, not comfort
Aviation organisations are already investing heavily in identity verification – and they still see the need for more.
Over the past two years, 56.8% increased their IDV budgets by at least 10%, including just over 10% that raised spending by more than 50%. While some reductions occurred, the overall trend points to sustained prioritisation.
Looking ahead, around 70% believe budgets should increase further, with nearly one in six aiming for another step-change. The gap between current investment and perceived need suggests that existing spending is not viewed as sufficient to keep pace with expanding attack surfaces.
Future budgets are expected to focus on scaling biometrics, strengthening analytics and reducing fragmentation across identity systems.
The Airport Identity Risk Index: Measuring identity exposure
To translate these pressures into measurable risk, Regula has introduced the Airport Identity Risk Index – a model designed to assess identity-related threats across airport environments.
Rather than ranking isolated attack techniques, the index evaluates two critical metrics: How likely specific threats are to occur today and how rapidly they are expected to grow as automation, biometrics and remote enrollment expand.
The index combines expert assessment with observed threat patterns, reflecting how identity systems are deployed in practice – often across mixed environments where automated controls coexist with manual checks and legacy infrastructure.
Airport Identity Risk Index 2026
| Threat | RPI Today | FGP 2028 |
| Forged Documents | 9/10 | 8/10 |
| Weak Chip & Certificate Validation | 7/10 | 9/10 |
| Morphing & Photo Substitution | 4/10 | 6/10 |
| Insider & Restricted-Area Identity Misuse | 4/10 | 5/10 |
| Boarding Pass & Digital Identity Tampering | 6/10 | 7/10 |
| Deepfake-Assisted Remote Enrollment | 4/10 | 7/10 |
| Biometric Presentation & Injection Attacks | 3/10 | 6/10 |
- RPI (Risk Probability Index) – estimates how likely a given threat is to be encountered today in real-world airport and aviation identity-verification environments
- FGP (Future Growth Probability) – assesses the likelihood that this threat will materially increase by 2028, driven by emerging technologies, automation, and operational changes
The index highlights a clear split between the risks airports are dealing with today and those likely to accelerate over the next few years. Traditional document fraud remains the most immediate concern, with forged documents and weak chip or certificate validation ranking highest for current exposure.
At the same time, threats tied to digitalisation and automation are projected to grow fastest, including boarding pass and digital credential tampering, deepfake-assisted remote enrollment and biometric presentation or injection attacks.
While insider misuse and identity abuse in restricted areas appear less frequently today, their impact remains significant due to the level of access involved.
Taken together, the index shows that airport identity risk is shifting from familiar document-based fraud toward more complex attacks that exploit digital credentials, biometrics and gaps between systems rather than single points of failure.
What airports should do next
The data points to a clear shift in priorities for airport security teams:
- Start where identity failures carry the highest physical risk – staff onboarding, crew validation, contractor access and airside entry should serve as the proving ground for strong biometrics and PAD before wider rollout
- Treat biometrics and documents as complementary controls – high-risk actions require at least one trusted document signal paired with a live biometric check. Single-factor approaches should be limited to low-privilege use cases
- Reduce fragmentation before accelerating automation – automation without orchestration increases risk. Airports should prioritise unifying identity signals into a single, controllable flow to restore visibility and enforcement consistency
- Turn identity events into security intelligence – failed liveness checks, repeated retries and anomalous biometric behaviour should feed analytics and threat monitoring, enabling proactive tuning rather than reactive responses.
Why this matters now
Taken together, the survey data and the Airport Identity Risk Index point to the same conclusion: Identity verification in airports has shifted from a supporting process to a frontline security control.
Investment is rising, but so is attacker sophistication. Airports that succeed will be those that treat identity as connected security infrastructure – not a collection of tools – and close gaps before they are exploited.
To find out more information, please visit: regulaforensics.com
