Skip to main content

Overview

UIP’s impersonation protection works through a simple but powerful mechanism: every business using UIP APIs must have a government-verified identity. This creates complete traceability and legal accountability, making impersonation a prosecutable crime with clear evidence.

How Protection Works

Government-Verified Identity Requirement

Every UIP business account requires the same government ID verification as consumer users:

Identity Verification

Business owners must verify their identity with government-issued ID (passport, driver’s license, national ID)

Biometric Verification

Live biometric verification (selfie matching) ensures the person creating the account is the real ID holder

Permanent Record

All verification data is permanently stored and tied to every API request made by that business

Audit Trail

Every authentication or signature request creates an immutable audit record linking back to the verified business owner

Complete Traceability

When a business makes an API request through UIP:
  1. Request Origin Tracked - The business’s verified UIP account is recorded
  2. Identity Linked - Government ID and biometric data are tied to the request
  3. Permanent Audit Created - Immutable record shows who made the request and when
  4. Legal Evidence Available - Complete chain of evidence for prosecution if fraud occurs
Unlike traditional systems where businesses can hide behind corporate entities or fake registrations, UIP requires a real person with verified government ID to create and use every business account. This makes impersonation traceable and prosecutable.

Why This Stops Impersonation

Criminal Liability

Attempting to impersonate another business on UIP means:
Legal Consequences for Impersonators:
  • Your real government-verified identity is tied to every fraudulent request
  • Complete audit trail provides court-admissible evidence
  • Criminal charges for identity fraud and impersonation
  • Civil lawsuits from impersonated businesses
  • No anonymity - your verified ID is permanently linked to the fraud

Risk vs. Reward

Traditional fraud allows anonymity. UIP makes it impossible:
Traditional SystemsUIP Protection
Create fake business accounts easilyRequires government ID verification
Hide behind corporate shellsReal person’s identity always linked
No traceability after fraudComplete permanent audit trail
Limited prosecution evidenceCourt-admissible cryptographic proof
Low risk, high rewardHigh risk, guaranteed prosecution

User Verification

While the government ID requirement provides the core protection, users can verify legitimate requests:

What Users See

When scanning a QR code or receiving a request, users see:

Business Name

The registered business name from the account

Request Intent

Clear description of why authentication or signature is requested

Verification Status

Whether the business has completed additional business verification (optional badge)

Request Context

What data is being requested and why

User Best Practices

1

Check Business Name

Verify the business name matches what you expect (exact spelling, correct company)
2

Review Intent Message

Read the intent carefully - legitimate businesses use specific, clear language identifying themselves
3

Verify Context

Only approve requests you initiated (clicked a button on their site, started account creation, etc.)
4

Watch for Red Flags

Reject requests with generic intents, urgent language, or from businesses you don’t recognize

Red Flags for Users

Users should reject and report requests if they see:
  • Generic or vague intent messages (e.g., “Authenticate” or “Sign this”)
  • Misspelled business names or similar-looking names
  • Requests they didn’t initiate
  • Urgent or threatening language
  • Requests for unnecessary data (asking for all info when only age verification is needed)
  • Businesses they’ve never heard of claiming to be well-known companies

Reporting Suspected Impersonation

If you suspect a business is impersonating your organization:
1

Document the Fraud

Capture screenshots showing:
  • The fraudulent request (QR code or message)
  • Business name displayed
  • Intent message
  • Date and time
2

Report to UIP

Email [email protected] with:
  • Your legitimate business name and UIP account details
  • Evidence of the impersonation attempt
  • Description of the fraudulent activity
  • Any affected users or transactions
3

UIP Investigation

UIP security team:
  • Investigates within 24 hours
  • Retrieves the impersonator’s government-verified identity
  • Gathers complete audit trail evidence
  • Suspends the fraudulent account immediately
4

Legal Action

With UIP’s evidence package:
  • File criminal charges for identity fraud
  • Pursue civil damages
  • Present court-admissible cryptographic proof
  • Complete chain of custody showing the impersonator’s verified identity

Evidence Package for Prosecution

When impersonation is detected, UIP provides a complete evidence package:
  • Government ID used to create the account
  • Biometric verification data (selfie)
  • Full name and ID details
  • Account creation timestamp
  • All API requests made by the impersonator
  • Intent messages claiming to be your business
  • Target users and requested data
  • Timestamps and IP addresses
  • Immutable cryptographic audit records
  • Chain of custody from impersonator’s account to each fraudulent request
  • Court-admissible evidence
  • Tamper-proof verification
  • API keys used
  • Webhook endpoints configured
  • Request patterns and volumes
  • Integration details

Protecting Your Business

Use Clear, Specific Intent Messages

Make it easy for users to verify legitimate requests from your business: 
{
  "intent": "Sign in to Acme Corp Customer Portal - acmecorp.com",
  "requested_data": ["name"]
}

Best Practices

Be Specific

Always include your exact business name and context in intent messages

Use Your Domain

Include your official domain name in the intent to help users verify

Educate Users

Train users to check business names and intent messages before approving

Monitor Requests

Watch for unusual patterns that might indicate impersonation attempts

Additional Business Verification (Optional)

While government ID verification is required for all business accounts, you can complete additional business entity verification to receive a verification badge:
Business verification is optional and provides a trust badge in the UIP app. The core impersonation protection comes from the required government ID verification, not the business badge.Business verification requires:
  • Business registration documents
  • Tax ID or incorporation papers
  • Proof of business legitimacy
  • Additional background checks

Why This System Works

Traditional Fraud Prevention Fails

Most systems try to prevent fraud at the transaction level:
  • Email verification (easily faked)
  • Phone verification (burner phones)
  • Business registration (fake companies)
  • Trust badges (stolen or forged)
These fail because fraudsters remain anonymous.

UIP’s Approach: Identity-First

UIP prevents fraud at the identity level:
1

Real Identity Required

Every business account requires government ID verification - no fake identities possible
2

Permanent Traceability

Every action is permanently linked to the verified identity - no anonymity
3

Legal Accountability

Impersonation becomes a prosecutable crime with court-admissible evidence
4

Risk Deterrent

The certainty of prosecution and evidence makes impersonation too risky

Identify API

Request user authentication with verified identity

Sign API

Request biometric signatures with audit trails

Audit API

Retrieve permanent audit records for evidence

Resellers & Admins

Best practices for platforms making requests on behalf of users