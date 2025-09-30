When OpenAI’s Sam Altman warned Federal Reserve officials in July that “AI has fully defeated most of the ways that people authenticate currently other than passwords,” he highlighted a problem that enterprise security leaders can no longer ignore: the biometric revolution many of us rushed to adopt is now plagued by fraud.

In the age of deepfakes and voice cloning, facial recognition and spoken confirmation are now authentication attack vectors rather than security features. These systems operate on similarity spectrums, granting access if an AI-generated impersonation gets close enough. This margin of error is quickly becoming an ecosystem entry point.

Biometrics in the AI fraud crisis

Ironically, the much-maligned password doesn’t have this problem. Unlike biometric systems that evaluate similarity, passwords are binary. They’re either 100% right or 100% wrong — no spectrum, wiggle room, or “close enough.” When strengthened with best practices like hardware-backed multi-factor authentication and zero-trust, passwords are comparatively resistant to AI.

Much like humans, authentication systems in the AI era find it difficult to distinguish between what’s real and what’s not. Thanks to new technology that can clone voices from just three seconds of audio, or copy faces from images and overlay them onto would-be hackers, biometrics like vocal and facial features are more easily and affordably replicable.

This goes against what companies have been told about biometrics — a promise of infallible access without additional factors. In finance, particularly, many institutions accept a voice print to move huge amounts of money. The user accurately recites a challenge phrase and, if it passes the voice match threshold, access is granted. This, as Altman describes, presents an “impending and significant” AI fraud crisis on the horizon.

I’d go one step further and say this isn’t coming but already here — you don’t need to look far for criminal networks spoofing credentials with deepfakes, synthetic identities, and large language models. Last year , Hong Kong scammers used deepfake videos and voices to impersonate an entire team on a conference call — including the company’s CFO — to trick one employee into transferring $ 25 million. Meanwhile , call centers of major banks and financial institutions report an onslaught of deepfake calls using voice cloning in efforts to break into customer accounts.

What’s old is new again in authentication

It’s time for companies to reassess their trust in biometrics, which may include returning to the access method many were quick to abandon.

Passwords aren’t perfect but they’re a logical authentication foundation against AI fraud. Their strength comes from precision rather than similarity. Unlike faces or voices, cryptographically unique phrases can’t be scraped from social media. Sure, AI might be able to clone your likeness from a photo, but it can’t guess your password from LinkedIn. As a result, what was once considered one of the weakest authentication methods is now one of the most AI-resistant because it’s purely mathematical.

How enterprises and admins safely fight back

Of course, admins moved away from standalone passwords for a reason — they’re often forgotten, reused and stolen in breaches. But, with failsafes in place, the AI fraud crisis flips this thinking on its head. Rather than a weak primary factor, passwords are reemerging as a strong foundation layer. They’re being recontextualized from user burden to AI-resistant anchors, from legacy tech to future-proof backup.

But, and it’s a big but that bears repeating, there are important technical caveats that users and organizations alike must first implement before ditching biometrics.

For starters, nip basic and repeated phrases in the bud by enforcing a strong password policy across your organization. This is possible with a unified endpoint management tool which can enforce password complexity, mandate regular changes, implement multi-factor authentication, and provide single sign-on capabilities — all from a central console. Additionally, these platforms help implement zero trust and identity and access management across the ecosystem, which prevents successful hackers from getting too deep into your network if they crack a device.

In terms of authentication architectures, I like password-plus-hardware-token because it creates two separate defenses that AI struggles to overcome — one cryptographic (the password) and one physical (the hardware token that generates time-based codes only when in the user’s possession).

If you do keep biometrics, remember it’s not a one-and-done solution. It’s now non-negotiable to bolster biometrics with verification methods requiring real-time interaction — dynamic security questions based on recent account activity, liveness detection requiring blinking and head movements, or environmental checks that confirm location consistency. The goal is to create authentication hurdles that can’t be gamed, pre-recorded, or automated.

This is an authentication issue that will only worsen as technology improves. Admins might not love returning to passwords but they’re honestly our best current foundation against this threat. In this brave new world of authentication, yesterday’s weakness is shaping up as tomorrow’s strength.