If you found this blog post interesting you might also enjoy our regular series of webinars about practical ways to improve the security of people working outside the office.

In our two most recent blog posts we’ve highlighted a growing problem from two directions; first, a deepfake video call convincing enough to move $25 million, at the engineering firm Arup, then a ten-minute phone call to an IT help desk that took a major company offline. Different attacks, one underlying failure: organisations have lost any reliable way to confirm that the person on the other end of a call, or a request, is actually who they claim to be.

This post is about what we’ve created to do something about it.

Loxada Verify did not start on a whiteboard. It started with a question from our customers. Because we already protect people at the uncontrolled network edge, some of the organisations we work with asked us a simple thing: could we also help them with deepfakes? Their leadership was increasingly worried about AI-driven impersonation, and they wanted to know whether the company that had secured their network edge could do something about it.

So we looked into it and the more we researched, the clearer it became that deepfake video was only the tip of the iceberg. The real problem was broader and quieter. Across calls, help desks, and everyday requests for access, organisations had lost any reliable way to confirm that the person on the other end was who they claimed to be. Verify is what we built in response, hand in hand with a small number of those customers, on the same managed-hardware foundation that already sits between our people and the networks they cannot control.

We didn’t set out to build a deepfake product. Our customers asked, we researched it, and the real problem turned out to be far bigger than deepfakes.

Every method we have traditionally used to verify a person is now routinely being defeated. Knowledge-based checks are undone by LinkedIn and old data breaches. Callbacks are undone by number spoofing and SIM swaps. Recognising a face or a voice is undone by AI. Each of these relies on something an attacker can research, spoof, or synthesise.

Verify works on a different axis. Instead of asking what someone knows, or trusting a face or voice that can be cloned, it confirms, in real time, that the person you are dealing with is genuinely connected through a company-issued device. That is something an outside attacker cannot fake, because they are not on your hardware.

Knowledge, voice, and face can all be faked. Being physically connected via a company device cannot.

In practice, that means both sides of a high-trust interaction can be verified. A help desk agent handling a password or MFA reset can confirm the caller is genuinely an internal device holder, rather than someone impersonating one. An employee taking a call that claims to come from IT or HR can confirm the same about the caller. The assurance is grounded in hardware, not in something either person has to remember, spot, or judge under pressure.

For the organisations we already work with, this is not another device to deploy or another app to train people on. The hardware that protects them at the network edge becomes the thing that also lets them prove who they are to one another. Verify is a capability on a platform they already trust, not a separate product bolted on the side.

Verify requires both people to be on company-issued devices, and that is deliberate. It is not a limitation to work around. It is the point. The interactions that matter most, a password reset, a payment authorisation, an access request between colleagues, are exactly the ones where both sides should already be on managed hardware. Verify turns that shared foundation into proof.

It is worth being clear about what Verify does not do, because a product that claims to solve everything solves nothing. Verify is built for live, high-trust interactions between people inside an organisation. It is not an email security tool, and it does not address business email compromise, where there is no live interaction to verify. It does not replace your identity provider, your endpoint protection, or your existing controls. And it does not help where an attacker will never be on your hardware, such as a consumer scam.

What it closes is a specific, well-evidenced gap: confirming, reliably, that the internal person you are dealing with is who they claim to be. As the previous two pieces showed, that gap sits underneath a striking share of today’s most costly incidents.
Verify runs on the same managed-hardware foundation as the rest of what we do. Securing the uncontrolled network edge is where Loxada started. It is not where we intend to stop.

Loxada Verify is arriving later in 2026, and we are building it alongside a small number of organisations ahead of a wider launch. If confirming who your people are really speaking to is a problem you are starting to size up, we would welcome an early conversation.

If you found this blog post interesting you might also enjoy our regular series of webinars about practical ways to improve the security of people working outside the office.