Has AI broken biometrics? Zero-knowledge may be the only fix, says Paul Inglis, SVP and General Manager, EMEA at the platform Ping Identity.
Artificial intelligence has fundamentally altered the economics of fraud. What was once the โgold standardโ of identity – biometrics – is being systematically dismantled by generative AI. Deepfakes and synthetic tactics now mimic faces, voices, and fingerprints with enough precision to fool legacy sensors, leading the National Cyber Security Centre to elevate deepfake threats to a top-priority concern.
The danger here is severe. Unlike a password or a payment card, a retina or a fingerprint cannot be reissued. Once a biometric template is compromised, the breach is permanent. As AI advances, these stored templates are no longer just identifiers; they are high-value targets.
Where traditional models fall short
Historically, spoofing biometric systems required specialist hardware and deep expertise. Today, algorithms can generate โmasterprintsโ capable of matching multiple users or replicating facial characteristics with alarming precision.
This has resulted in a thriving dark web commodity market. โSelfie with IDโ bundles and hybrid identities – blending stolen traits with synthetic modifications – are readily available to bypass onboarding checks. From a business perspective, the very data we use to secure digital transactions has become our greatest vulnerability.
Eliminating biometrics is not the answer; the answer is inverting how we use them. Traditionally, organisations stored biometric templates on central servers, creating a centralised honeypot for attackers. Even โshardingโ – splitting data across servers – often fails because the vendor still controls the infrastructure, maintaining a centralised trust model.
Zero-Knowledge (ZK) Biometrics takes a different approach. By leveraging advanced cryptography, we can confirm a userโs identity without ever exposing or storing retrievable data.
In this model, a facial scan is converted into an encrypted, non-invertible format on the user’s device. When that user later logs in, a new scan is checked against the stored version without the original image ever being revealed or reconstituted. This offers the scale of a centralised system with the ironclad privacy of an on-device solution.
The shift to runtime identity
Fraud is no longer just a โfront doorโ problem. It has moved into the session itself – targeting credential resets, account recovery, and high-value moments.
This is where we need to move away from one-time authentication toward continuous re-verification. By using ZK-biometrics, organisations can verify that the user who started a session is still the same verified individual five minutes later, without infringing on privacy.
Future-Proofing for the Agentic Era
The rise of AI doesn’t just affect human users. As enterprises deploy autonomous AI agents to act on their behalf, we face agentic risk. Just as we must prove a human is who they say they are, we must now govern AI agents at runtime.
This can be achieved by ensuring that these non-human actors are tied to a verified human identity and governed by strict runtime controls. Whether it is a human employee or an autonomous agent, the principle remains the same: high-assurance authentication must be continuous and data-silent.
As biometric data potentially becomes more valuable than traditional financial assets, the cost of a breach is too high to ignore. Organisations need systems that are resilient to AI-driven spoofing without sacrificing the seamless experience users expect. By embracing Zero-Knowledge architectures and Runtime Identity, we can turn biometrics back into a secure asset, ensuring trust in an era of synthetic deception.
