In recent years, the growth of AI tools has fundamentally altered the economics of identity fraud. Deepfakes, synthetic identities, and automated phishing are now able to scale faster than traditional defenses, amplifying threats and shifting the identity landscape rapidly. Identity is no longer just stolen—it’s convincingly fabricated by attackers for a wide range of malicious ends.
Why Stored Secrets Are a Liability
Stored biometrics are a massive risk to individuals and organizations, opening up immutable data to exposure and theft. While stolen or breached passwords can be reset, biometrics like fingerprints, facial structures, and voiceprints cannot be changed so easily in the event of an attack. Attackers leveraging compromised biometric data can gain access to a wide range of sensitive data, accounts, and systems that they can use for further malicious activity, such as catastrophic breaches and account takeover.
Centralized storage of sensitive identity data has become a growing attack surface for threat actors to target, creating regulatory risk and long-term liability for organizations. The particulars of how biometric data is stored, handled, and secured are often not shared with the public, concealing issues related to mass surveillance and function creep. The lack of transparency around biometric information and its protection creates sa ignificant risk to this extremely sensitive data.
What “Zero-Knowledge Biometrics” Actually Means
The concept of zero-knowledge biometrics—pioneered by Keyless, a biometric authentication technology firm that was recently acquired by Ping—is a response to the dangers of stored biometric data. Zero-knowledge principles enable a system to verify that a user is legitimate without ever storing or exposing the biometric itself. This means that the system does not hold the biometric information within it for attackers to target, protecting against breach or exposure of sensitive data.
Zero-knowledge is apt to go along with zero-trust architecture, based on the principle of not inherently trusting users, but continuously verifying authorization. “With 69% of organizations adopting Privilege Access Management (PAM) primarily to prevent credential theft and mitigate cyber threats, solutions based on zero-trust and zero-knowledge principles are increasingly critical to enforce continuous identity verification and secure sensitive data,” says Darren Guccione, CEO and Co-Founder at Keeper Security.
Privacy by Design Meets Security by Default
The zero-knowledge approach to biometrics reduces breach impact by ensuring that biometric data is not stored where it can be targeted and breached by threat actors. It can help to support global privacy regulations that mandate the protection of private data, including biometric information. Not storing biometric data means that organizations have less to worry about regarding the storage, use, and protection of sensitive user information.
Zero-knowledge also aligns with modern “assume compromise” security models that stress reducing the places that sensitive data can be exposed and implementing layered defenses to mitigate risk in the likely event of an attack. Designing systems on the assumption that a breach will happen is a much more realistic approach to modern security than exclusively focusing on preventing compromise from ever occurring. Security strategies that assume compromise are built to protect sensitive areas, encrypt data at rest and in transit, and exercise the principle of least privilege.
Continuous Trust, Not One-Time Authentication
Zero-knowledge is especially important as identity verification can no longer stop at login, but rather must be continuous to ensure trust. Fast, frictionless re-verification enables stronger protection throughout a digital session by maintaining authentic identity and access without impinging too far on user experience.
It is important to strike a balance between user experience and security regarding continuous authentication. “There are continuous ‘behavioral’ authentication capabilities such as mouse movements, typing patterns, gait, and other contextual signals that can constantly verify that you is you,” according to Chris Radkowski, GRC Expertat Pathlock. “However, these raise potential privacy issues and even new AI that can try and mimic you. The fundamental issue is still exists that some ‘friction’ is necessary to initially establish identity.”
Ping Identity and Keyless as a Signal, Not Just a Feature
The recent acquisition of Keyless by Ping is a move that comes as part of a broader industry shift toward cryptographic trust, passwordless experiences, and AI-resilient identity architectures. The deal is indicative of security trends that are growing in the face of an increasingly complex and risk-addled identity landscape. More and more organizations are turning to advanced security principles like zero-knowledge biometrics to protect sensitive data against breach and compromise.
What This Means for Enterprises
The growth of zero-knowledge biometrics offers lessons for CISOs, IAM leaders, and risk teams to look to and use to inform their navigation of AI threats, regulatory pressure, and user experience expectations. The assurance that sensitive identity information is not stored within the system is an important part of protecting biometric data against attackers. Enabling continuous identity checks to fortify authentication throughout sessions requires consideration of user experience. This approach can be a significant development for enterprises in defending against modern risks.
The Future of Digital Trust
Moving forward, digital trust will increasingly be based on cryptographic proof rather than stored identity artifacts, as the latter is far more easily compromised and manipulated. The growing popularity of AI makes it all the more urgent to implement privacy-preserving security, presenting new and evolving risks that must be addressed. AI identities and access pose increasing risks to systems where sensitive secrets are stored, demanding sophisticated security answers.
