Identity security has reached a tipping point. Stronger locks are no longer enough when adversaries can look, sound and even behave like authorized users. Let’s face it, traditional strong authentication methods like MFA and biometrics are just another deadbolt. The real challenge isn’t letting in users who present a valid credential; it’s proving, beyond a doubt, that the person on the other side of the door is who they claim to be. 

Here’s the core issue. Modern attackers don’t just steal credentials; they attack the entire authentication process. Techniques like deepfakes, adversary-in-the-middle phishing, SIM swaps and push-notification fatigue show that MFA factors—whether “something you know,” “something you have,” or “something you are”—can be intercepted, spoofed, or socially engineered. With so many authentication factors vulnerable, what’s a reliable way to prove identity?  

The Limits of “Something You Are” 

Biometric authentication falls under the “inherence” factor; it uses unique biological traits like fingerprints, facial geometry, or iris patterns to verify identity. At first glance, biometrics seem well-suited to preventing phishing or credential theft: They can’t be guessed, forgotten, or phished. However, this is only true if the system can ensure that the biometric sample is coming from the correct person, in real time and through a secure channel. 

Today’s AI-powered deepfakes make deception more challenging than ever. Presentation attacks, where a malicious actor tries to fool a sensor with a photo, video, mask, or synthetic voice, are no longer just theoretical. They are now available as a service. Injection attacks can even bypass the camera entirely by feeding a fake video stream into the device. Without advanced, certified presentation attack detection (PAD) and anti-spoofing measures, a biometric system can be compromised without the attacker ever being physically present. 

The Limits of MFA  

It’s tempting to think that combining biometrics with another factor automatically resolves the issue. However, if that second factor is weak, like an SMS code prone to SIM swapping, then the “multi-factor” label can give a false sense of security. In reality, many so-called MFA implementations check boxes for compliance but don’t stand up to modern attack techniques. 

This is why NIST’s Authenticator Assurance Levels (AALs) are so important. They shift the conversation from quantity (“Do you have MFA?”) to quality (“Does your authentication meet AAL2 or AAL3?”). High-assurance systems combine independently strong factors in a way that resists phishing, replay and man-in-the-middle attacks. 

Biometrics as Multi-Factor  

One misconception is that biometrics are always a “single factor.” In practice, biometrics become stronger when combined with complementary signals or safeguards. For example, pairing a biometric with a behavioral pattern, a user-supplied PIN, or location/contextual checks can provide additional assurance—especially when authentication happens in an unfamiliar or untrusted environment. Over time, these signals can be layered with session continuity, so once trust is established, users aren’t repeatedly burdened with additional steps. This approach balances security with usability by applying extra verification only when risk is elevated. 

The real differentiator is whether that biometric system is: 

• Device-bound, so credentials can’t be replayed elsewhere.

• Cryptographically secured so even a compromised OS can’t extract them.

• Protected by advanced PAD to resist spoofing and injection.

Why Verification Still Matters 

Authentication, which verifies that the person logging in is the rightful account owner, is just one part of the trust puzzle. Many serious breach scenarios happen when attackers successfully log in as someone else because the identity was never properly verified in the first place. 

Think of workforce account recovery: a service desk agent resets access based on a convincing voice or fabricated “proof.” Or customer onboarding, where a synthetic identity passes through weak verification checks. In both cases, a biometric used only for ongoing authentication can’t determine if the original enrollment was fraudulent. 

That’s why high-assurance identity verification, which confirms the claimed identity is genuine from the start, is as important as the authentication method itself. Without strong identity proofing during enrollment, even the most advanced biometric authenticator will accurately recognize and grant access to an imposter. 

Now What? 

To defend against the combination of AI-driven deception, social engineering and infrastructure attacks, security leaders should shift their focus from asking “Should we use biometrics?” to asking “How do we ensure every factor in our authentication process is reliably strong and resistant to today’s threats?” Here are some best practices to consider: 

1. Adopt quality metrics, not just factor counts. Align authentication with NIST AAL2 or higher. And demand evidence, such as FIDO certification or ISO PAD testing, that the factors you are using meet that bar.
2. Pair biometrics with secure possession. Use device-bound cryptographic credentials stored in secure hardware to make the biometric inseparable from the enrolled device.
3. Harden against spoofing. Require multi-layered, certified PAD and test against deepfake and injection scenarios. 
4. Integrate verification and authentication. Ensure that the person being authenticated was strongly verified at enrollment, reducing the risk of authenticating an attacker with a perfect fake.

Biometrics can be a cornerstone of a phishing-resistant, high-assurance authentication strategy, but only when implemented with the same rigor you’d expect from your most critical security controls. Treat “something you are” not as a silver bullet, but as one layer in an integrated identity security model that begins with trust and ends with proof.