For years, biometrics were marketed as the “unhackable” replacement for the vulnerable password. But in the age of AI, that gold standard is losing its luster. We are witnessing a fundamental shift in the economics of fraud where AI has lowered the barrier to entry for sophisticated spoofing, turning our traditional reliance on stored biometric templates into a permanent liability.
The core of the problem is created when organisations store biometric data on central servers. Even when using techniques like sharding to split data across multiple servers, the vendor often still controls the infrastructure, maintaining a centralised trust model that remains a high-value target for attackers. Because a fingerprint or retina cannot be reset like a password, a single breach is not just a temporary lapse; it is a permanent compromise of a user’s biological identity.
The rise of synthetic deception
The threat is no longer theoretical, as the UK’s National Cyber Security Centre has already elevated deepfakes to a top-priority concern due to AI-driven tactics outsmarting legacy sensors with alarming precision. Today’s dark web isn’t just selling passwords; it is trading in “Selfie with ID” bundles and hybrid identities that blend stolen traits with synthetic modifications. To counter this evolution, we must stop trying to build a bigger wall around stored data and instead move toward a data-silent architecture.
Implementing a Zero-Knowledge framework
The fix is not to abandon biometrics but to invert how they are handled through Zero-Knowledge (ZK) Biometrics. This cryptographic approach ensures that sensitive data never leaves the user’s device in a retrievable format by converting a facial scan into an encrypted, non-invertible format locally on the device.
When a user logs in, a new scan is processed and checked against the stored version without the original image ever being reconstituted or revealed to the server. This model provides the enterprise-level scale of a centralised system without the inherent privacy risks of a central database, helping organisations meet regulatory requirements while maintaining user control.
Runtime and agentic risk
As fraud moves beyond the “front door” of initial login, our security posture must become fluid to address risks throughout the entire identity lifecycle. We are entering the era of runtime identity, where the goal is continuous re-verification during high-value moments like credential resets or account recovery. By using ZK-biometrics, organisations can verify that the user who started a session remains the same individual minutes later without infringing on their privacy.
This continuous oversight is equally critical for the agentic era, as businesses deploy autonomous AI agents to perform tasks on their behalf. These non-human actors must be governed with the same rigor as human employees to mitigate agentic risk. By tying AI agents to a verified human identity and governing them with strict runtime controls, we ensure that every action – whether taken by a person or a bot – is backed by a data-silent, high-assurance anchor.
Biometric data is rapidly becoming more valuable than traditional financial assets, making the cost of a breach too high to ignore. To protect it, we must move away from models based on shared trust and toward a Zero-Knowledge standard. By adopting architectures that are resilient to AI-driven spoofing, organisations can maintain the seamless user experience they need without the catastrophic risk of a permanent data breach.
Paul Inglis
Paul Inglis is Senior Vice President & General Manager EMEA at Ping Identity. With over 20 years of senior leadership experience at companies like Adobe and Hewlett-Packard, Paul currently leads the EMEA sales organisation for Ping Identity.
