Foil sits alongside your KYC vendor, not in place of it. The vendor checks whether the identity is valid; Foil checks whether a real human at a real device is operating the form. Stacking the two catches fraud that passes each layer individually - especially synthetic-identity farms, anti-detect browsers, and repeat submissions from one device under many identities.
The threat
KYC-gated flows (fintech onboarding, crypto exchanges, gambling, lending, payouts, any “high-limit” account upgrade) attract some of the most well-funded browser automation on the public internet. The rewards per account are large enough to justify real investment: stolen identity kits bought on dark markets, anti-detect browsers ($100–$500/month retail), residential proxy pools, and increasingly LLM-driven agents that can fill forms and respond to vendor prompts autonomously. Four abuse patterns dominate:- Synthetic identities. Fabricated or Frankenstein PII (real SSN, fake name; real name, fake DOB) submitted through automated browsers. Individual submissions may pass the KYC vendor’s checks because the underlying data points look plausible; the tell is the browser operating the form, which Foil sees.
- Identity farming. Operator runs dozens or hundreds of accounts through KYC on one device using different PII each time, then resells the verified accounts. Every individual submission looks fine; the visitor fingerprint betrays the pattern.
- Anti-detect browser fraud. Multilogin, GoLogin, Kameleo, and similar tools specifically exist to defeat device fingerprinting - the KYC fraud market is their primary customer base. These environments push Foil’s overall
risk_scoreup even when the behavioral profile looks human, and the stored session’sruntime_integritysurface explicitly flags tampering and virtualization. - Liveness / video bypass. Virtual cameras, deepfakes, and face-swap tooling target the selfie/liveness step. This is primarily the KYC vendor’s problem, but the browser environment used to run the bypass often trips Foil’s virtualization and anti-tamper signals.
The flow
1
Start Foil when the KYC flow begins
This might be the “Upgrade your account” button or the start of a dedicated onboarding journey. Collection needs time - KYC is one of the rare surfaces where you can afford to wait for fingerprint readiness.
2
Gate form submission on waitForFingerprint()
Unlike a login page, KYC users expect friction. It’s fine to disable the final submit button until Foil’s fingerprint has frozen - this guarantees you’ll get a stable
visitor_fingerprint.id for cross-session correlation.3
Call getSession() at submit
Handoff travels with the KYC payload.
4
Pre-check the Foil verdict and risk score
Hard-block on
bot. For human verdicts, apply a stricter risk_score threshold than you would on a lower-friction surface - a borderline score on a regulated flow usually warrants manual review.5
Check the fingerprint's history
GET /v1/fingerprints/:visitorId - has this device run KYC before under a different identity?6
Forward to the KYC vendor with Foil metadata attached
So the vendor’s own decision engine can incorporate the signal on their side.
7
Monitor post-KYC sessions
A verified account that starts behaving like automation later is a strong account-takeover or farming signal. Keep Foil on sensitive in-app actions.
Client integration
KYC is the one surface wherewaitForFingerprint() should block submission. False positives from slow fingerprinting are cheap here (the user will wait), and false negatives from submitting before fingerprint freeze are expensive (you lose the visitor ID that catches identity farming).
Server verification
The pattern below uses a generickycVendor.verify(...) placeholder. Substitute Persona, Onfido, Veriff, Sumsub, Socure, Alloy, or your internal equivalent.
The KYC_RISK_SCORE_THRESHOLD below is set at 30 as a starting point - well below Foil’s default bot verdict threshold (~70) but strict enough that genuinely suspicious sessions don’t auto-approve on a regulated flow. risk_score is an integer from 0 to 100; tune the threshold to your traffic.
Layered decision matrix
The decision you hand back to your own business logic (and record on the KYC row) should be the product of Foil and the vendor verdict, not either one alone.risk_score is an integer 0–100; below the bot verdict threshold of ~70 there’s still a lot of useful gradient, and KYC is the surface where you should care about it.
Two principles worth holding:
- Never auto-approve on vendor-only signal for a KYC-gated flow. If Foil’s
risk_scoreis elevated or the verdict isinconclusive, the vendor saying “approved” is not enough to promote an account to its full permission set. - Use a stricter
risk_scorethreshold than you would on other surfaces. Foil’s defaultbot/humancutoff is tuned for broad use across signup, login, and content surfaces; KYC’s false-negative cost justifies treating anything above roughly30as worth a human look.
Runtime integrity: deeper environment signal
When the sealed-token verdict isn’t enough - high-limit approvals, compliance-heavy jurisdictions, repeat-review queues - fetch the stored session and inspectruntime_integrity. These are discrete named flags computed server-side from the full observation stream, and they let you write precise rules instead of thresholding a single aggregated score.
Node.js
tampering_detected, emulation_suspected, and identity_spoofing_suspected deserve a manual-review route even when the sealed-token verdict is human and the risk_score is under threshold. They’re the signals most likely to be silent on the aggregated score when an attacker is specifically tuning against it.
runtime_integrity is only available via GET /v1/sessions/:sessionId - it’s not on the sealed token. Two integration shapes work well:
- Session readback on every KYC submission. One extra API call per verification; negligible next to the cost of the KYC vendor itself.
- Session readback only on borderline cases. Fast path on clean
human+ low-score submissions; fetch the stored session for everything else, including themanual_reviewpaths in the code above.
Identity farming: cross-session correlation
The visitor fingerprint is the axis that catches farms. One device running KYC under five identities over two weeks looks human on every individual submission - it is human, just a human engaged in fraud. The tell is inGET /v1/fingerprints/:visitorId.
Node.js
- 2+ distinct accounts from the same visitor fingerprint completing KYC → manual review. Real households exist, but KYC-gated flows rarely involve two adults on the same device.
- Any prior
verdict: "bot"on that fingerprint in the last 90 days → manual review. The device has failed Foil before. lifecycle.seen_count > 50with first-seen under 24 hours → auto-reject. That’s a headless browser being spun up repeatedly on one machine.
Attaching Foil signal to the vendor
Most KYC vendors expose a metadata orcustom_fields parameter on their verification API. Putting Foil’s session ID and verdict there pays off in two ways:
- Vendor-side rules. Modern KYC platforms (Alloy, Sardine, Socure, Sumsub rules engine) let you write decisioning on custom fields. “Decline if
foil_risk_score >= 30AND document score below 0.9” is a one-line rule that would otherwise require integrating Foil into the vendor’s system separately. - Post-hoc reconciliation. When a chargeback, SAR, or compliance audit surfaces a KYC approval months later, the Foil session ID stamped on the vendor record lets you pull
GET /v1/sessions/:sessionIdand recover the full device evidence - includingruntime_integrityandsignals_fired- from the time of submission.
foil_attribution_category pulls from attribution.bot.facets.category.value when present; on human verdicts it’s generally null, so you may want to store "human" for consistency.
Post-KYC monitoring
Getting ahuman verdict at KYC submission is necessary but not sufficient. Account takeover happens later - the KYC is clean, but six months on, someone logs in from a new device, hardens their settings, and starts draining the account or withdrawing funds. Keep Foil on:
- Every login (see Login & credential stuffing).
- Payout / withdrawal / transfer initiation.
- Limit-increase requests (the typical next step after compromise).
- Any sensitive setting change - email, password, 2FA, beneficiary.
bot verdicts or an elevated risk_score on withdrawals is a very strong ATO signal, and the fact that the account is KYC-verified makes the response more important, not less - the attacker has done the work to look legitimate precisely to unlock high-limit actions.
What’s next
Signup protection
Stop automated account creation before KYC even starts.
Promo & trial abuse
The same cross-session correlation pattern, at lower stakes.
Verdicts & scoring
Deep-dive on
verdict, risk_score, and where thresholds come from.Privacy & data
What Foil stores and for how long.