The New Biometrics Dilemma: Will They Make Us Safe or Sorry?

Your face can be copied, your voice can be cloned, and your fingerprints might already be in a hacker’s database.

Let’s face it (pun intended): Our unique biometric characteristics are increasingly out there in the digital realm as more government and corporate entities have embraced biometric systems for identity management and security purposes.

But while there’s a chance our facial or fingerprint scans might fall into the wrong hands (pun possibly intended), they do make a lot of our activities easier, faster, more convenient – and more secure, some would argue – which is why the technology is spreading.

At its core, identity access management is about correctly identifying who is trying to gain access to your network. And that requires real-time visibility and accurate endpoint data at scale. Learn how to gain that from one platform.

Consider these developments in several industries in recent months.

• Airports – Abu Dhabi announced last year that in 2025 its Zayed International Airport would be the world’s first airport to require biometric boarding, with biometric sensors at every identification checkpoint. Many U.S. airports are also now using facial recognition technology at security gates to verify a passenger’s identity by comparing their live face to the photo on their ID.

• Financial institutions – The National Bank of Egypt, the nation’s largest bank, announced last month it was deploying BIO-key’s PortalGuard identity and access management platform. This platform uses biometrics and other forms of multifactor authentication (MFA) to ease login and other procedures for its 30,000 employees and (eventually) millions of customers.
• Credit card companies – Mastercard announced in November plans to enhance online purchases by nixing the need to type in card numbers and passwords in favor of tokenization and biometric authentication by 2030, and Visa and Tencent partnered in September on a pay-by-palm solution to be tested first in Singapore and then in other markets.
• Healthcare – Recent projections say the global biometrics market in healthcare, now valued at $10.1 billion, will reach $55.4 billion by 2035, thanks to the integration of AI and machine learning and increased adoption in telemedicine services.
• Stadiums – The 85,000-capacity Más Monumental in Buenos Aires recently deployed a face biometrics solution, and in the United States, Major League Baseball’s Go-Ahead Entry program links facial recognition to ticket accounts, a touchless process that can reduce wait times outside stadiums by as much as 68%, according to a December report.

So, numerous businesses and organizations are barreling ahead with biometric systems. But with security threats evolving faster than ever, the question is: Are biometrics still the future, or are they a cybersecurity Achilles’ heel?

We talked to two pros in the field with very different views on the subject, particularly regarding the role AI can play either way.

The biometrics boom – and its biggest weakness

Facial recognition, retina scanning, and fingerprint authentication are gaining tremendous traction because they seem like great alternatives to passwords and keycards. But here’s the problem: Unlike a password, you can’t change your face. Once stolen, your biometric data is compromised forever.

All 10 of my fingerprints have already been stolen. Now, how can any system that relies on my fingerprint know it’s me?

And according to Roger Grimes, a security evangelist with KnowBe4, a security awareness training firm, that’s exactly what’s happening. In fact, he predicts biometrics will be proven not to be a good authenticator as early as this year.

“All 10 of my fingerprints have already been stolen,” he says, referring to the 2015 U.S. Office of Personnel Management (OPM) breach, where hackers stole the sensitive biometric data of millions. “Now, how can any system that relies on my fingerprint know it’s me?”

It’s not just fingerprints. Malware like GoldPickaxe, recently discovered in Thailand, has been stealing facial scans under the guise of a pension verification app. Somebody can then use the stolen faces to bypass authentication or create ultra-realistic deepfake identities.

Deepfakes make the biometrics problem worse

If hackers can create a near-perfect video of you, speaking in your voice and mimicking your expressions, how secure is facial recognition?

“I can take 30 seconds of your video and create a deepfake of you,” says Grimes. “I do it all the time. I do it for presentations. I need 30 seconds of your voice and a picture of your face, and I can make you say and do anything digitally. How can that be? How can my face or my voice ever be an authenticator?”

AI and deepfake technology is already wreaking havoc. Last year, for example, deepfakes impersonated executives at the luxury car company Ferrari, UK energy supplier Octopus, and the world’s biggest ad group WPP, among others; and a Hong Kong employee at the British multinational engineering firm Arup was conned into paying $25 million to a fraudster using deepfake technology in a conference call to impersonate the company’s CFO. Deepfake frauds impersonating remote IT workers have infiltrated hundreds of U.S. companies. Meanwhile, the Deloitte Center for Financial Services predicts GenAI could enable fraud losses of up to $40 billion in the United States by 2027 compared to $12.3 billion in 2023.

[Read also: For more info on deepfakes, check out our comprehensive guide to disinformation and the best defense strategies]

And the tools to create deepfakes are only getting better. Open-source platforms like ElevenLabs and Stable Diffusion have democratized access to AI-powered face and voice cloning. That means criminals no longer need sophisticated hacking skills—just a laptop and an internet connection.

The counterargument: AI may be biometrics’ biggest value-add

Rob Clyde isn’t panicking. Clyde, who is board director for Cybral, an AI security and monitoring firm, and past chairman of ISACA, a global IT governance and cybersecurity organization, recognizes the risks with biometrics. But he notes that, just like AI is proving an invaluable cybersecurity tool, AI-driven biometric defenses are evolving as fast as the threats against them.

AI and systems to detect deepfakes… keep getting better. We’re still just human beings. We’re not going to get exponentially better over time. AI can.

“The ability for humans to reliably detect deepfakes is going to continue to decline,” Clyde says. “I do believe AI and systems to detect deepfakes and to ensure that authentication is valid is going to increase. They keep getting better. We’re still just human beings. We’re not going to get exponentially better over time. AI can.”

Some new security solutions are already using AI to counter AI. Tools like Intel’s FakeCatcher, for example, analyze blood flow signals in facial videos, boasting a 96% accuracy rate in spotting deepfake imagery. Behavioral biometrics, which tracks micro-movements and unique interaction patterns, also makes it harder for deepfake imposters to pass undetected.

“We’re using a lot of advanced analytics, looking at microexpressions,” explains Brian Christensen, director of financial services at the identity verification firm Jumio, at last fall’s IdentityWeek America conference. “There’s a lot of interesting passive signals we can get that way.”

[Read also: Seeing is believing – how enterprises are using AI to improve cybersecurity]

Then there’s the rise of multimodal authentication—systems that combine multiple biometrics. A single facial scan might be spoofable, but adding real-time liveness tests, infrared retina scans, or voice authentication makes it exponentially harder to fake.

“Facial recognition today isn’t just a 2D photo anymore,” Clyde says. “The latest versions, like Apple’s Face ID, use 30,000 data points to verify your identity and require attention detection. It’s much harder to trick than older systems.”

The government’s verdict: Biometrics alone aren’t enough

While AI-driven biometrics are improving, major cybersecurity bodies aren’t convinced they’re enough. The U.S. government, for one, isn’t willing to bet national security on facial recognition alone. In fact, last August, the National Institute of Standards and Technology (NIST) updated its digital identity guidelines, stating that biometric authentication should always be paired with a hardware-based authenticator, like a YubiKey token.

“If you use biometrics, you should also use a hardware-based factor,” Grimes advises. “That tells you right there that biometrics aren’t as secure as they claim.”

[Read also: That’s not the only thing NIST has updated – the new thinking on password security might surprise you]

And it’s not just the government. Tech giants like Microsoft and Google have also started requiring multifactor authentication (MFA) that combines biometrics with hardware tokens, cryptographic keys, or behavioral analysis.

What’s next? Watch for these 5 upcoming biometrics trends

Despite the rise of deepfake threats, biometric authentication isn’t going away. What’s changing is how it’s being used, according to Clyde, who predicts five biometric-related trends:

• 1. Biometrics + MFA Becomes Standard – The practice of using a single biometric scan for authentication is ending. Organizations are increasingly layering biometrics with additional authentication factors.
• 2. Physical Tokens Make a Comeback – Along those MFA lines, the push for YubiKeys and similar hardware options suggests organizations will increasingly return to the idea of authentication systems that require something you are (biometrics) and something you have (a physical token or other device).
• 3. AI-Driven Deepfake Detection Grows – Companies will also step up investments in AI-powered detection tools like FakeCatcher and Truepic to weed out fraudulent biometrics in real-time.
• 4. Continuous Authentication Takes Over – Instead of a single login, companies will adopt real-time behavioral biometrics that continuously verify a user’s identity throughout a session.
• 5. Biometrics updates and refreshes – Biometric systems will be regularly updated with improvements and require more data points over time. This will mitigate the risk of stolen data points being used to create deepfakes that could fool authentication. For example, facial recognition biometric systems might periodically require the user to take new live images and video to create new data points for authentication, thereby rendering the stolen data points obsolete.

The biometrics bottom line

Biometrics are still crucial to the future of authentication. After all, consumers and employees love biometrics’ ease of use – a finger press or glance at a screen versus recalling a complex password – and they bring a big advantage in industries like healthcare, where professionals need quick access to patient data, and other environments where speed is crucial.

It’s also a game-changer in countless offices where workers have to navigate a series of labyrinthine login procedures just to turn their computers on each morning. Biometrics is thus a boon for overall digital employee experience, making workplace tech less of a drag.

[Read also: What is employee experience? Check out this simplified guide]

And yet despite such attributes, the fact remains they’re no longer the magic bullet they were once thought to be. As deepfake and AI technologies advance, organizations must stay vigilant and adjust if they decide to keep using biometrics.

Or, as Clyde puts it:

“You can’t just trust all biometric systems as they age. They will be less trustworthy. The key is keeping them refreshed and ensuring they’re part of a broader security approach.”

Meanwhile, Grimes offers a starker warning:

“Your fingerprint, your face, your voice – it’s all out there already. The question is, what’s next?”