Deepfakes Are Rewriting the Rules of Biometric Security

It’s a long-standing truism that biometrics are among the most robust and trustworthy forms of identity verification on the market. The whole premise was that identity is physical, unique, and nearly impossible to replicate. Deepfakes have completely dismantled this assumption.

Today, artificial intelligence can fabricate a convincing face, clone a voice from just a few seconds of audio, manipulate video in real time, and even simulate the subtle micro-expressions and eye movements that make us human. The technology is accessible, cheap, and improving by the week. What once required a nation-state’s resources now fits into browser-based tools and open-source models.

This article explores how deepfakes are transforming our understanding of biometrics and what this means for organizations operating under major federal and industry security frameworks. 

The Shifting Landscape of Biometrics

Biometrics initially rose to prominence because they seemed resistant to theft and impersonation. Passwords leak. Tokens can be stolen. But a person’s face, eyes, and voice were always uniquely theirs, and uniquely identifiable. 

Deepfakes have dramatically weakened that premise, as demonstrated by an Indonesian financial institution that suffered over 1,100 deepfake attacks targeting its loan application system, resulting in more than 1,000 fraudulent accounts and an estimated economic impact of $138.5 million.

Modern generative models, powered with modern AI and the massive body of public training data they leverage, can clone a person’s voice with incredible accuracy, generate synthetic facial videos that respond to prompts in real time, reconstruct 3D facial geometry from publicly posted photos, and align lip movement with speech to create a live-looking model.

It’s not just about these threats. Our relationship with biometric data is tied to shifts in online technology. Most people routinely upload raw materials attackers need to harvest, such as public speaking videos, social media photos, podcasts and webinars, Zoom recordings, conferences, interviews, and livestreams. With the work-from-home revolution and constant evolution of user-created content, there’s no limit in sight for training data for attackers to use. 

This creates a new security category: biometric exposure risk. Criminals can obtain biometric information from social media, cyber-attacks, or the dark web, then create synthetic audio and video to gain access to systems. 

Behavioral Biometrics and Evolving Deepfakes

Because biometrics are more vulnerable, the industry is understandably shifting toward behavioral biometrics. These are patterns of movement, habits, and interactions that are far harder to replicate with AI than facial or vocal scans. These include typing rhythm and error patterns, mouse movement microdynamics, touchscreen pressure and swipe signatures, device handling (tilt, shake, and acceleration), and navigation behavior within an application.

Liveness Detection 

Liveness detection was designed to ensure that a real human was interacting with a system. Attempts to use fake templates, photographs, or other physical artifacts would, ultimately, be thwarted by liveness detection. 

Real-time deepfake engines can now reproduce facial expressions and micro-movements as they happen, generate dynamic shadows and lighting reactions that mimic environmental changes, respond to audio or text prompts instantly, and combat traditional liveness tricks like random head-turn prompts. 

How Deepfakes Affect Regulatory MFA Requirements 

A significant area of concern for regulated organizations is how deepfakes undermine MFA, especially when frameworks assume biometrics are strong second factors.

• CMMC (Levels 2 and 3): CMMC requires MFA for access to systems that store or process CUI, and it permits biometrics as an authentication factor under certain conditions. If deepfakes can clone facial or voice biometrics, however, that factor becomes unreliable. Also, remote access controls become significantly riskier, particularly for systems relying on video-based identity verification. CMMC assessors will increasingly expect MFA implementations to prove resilience against synthetic identity attacks.

• FedRAMP: FedRAMP requires MFA aligned with NIST SP 800-63 and NIST 800-53 IA controls, but identity proofing processes at IAL2 and IAL3 become harder when live video interviews or selfie checks can be faked. Liveness detection can’t be relied on solely anymore,  and zero-trust expectations are increasing, with OMB and CISA guidance favoring continuous, risk-based verification to counter deepfake impersonation. 
• ISO 27001 (Controls 5.17, 5.15, 8.2, 8.3): ISO 27001 allows biometrics as authentication factors but requires them to be protected as sensitive data. Deepfakes drive new considerations here as well. Access control decisions must account for synthetic identity risks, forcing organizations to adopt layered or adaptive authentication approaches. And supplier relationships under ISO 27036 become riskier if third-party service providers rely heavily on biometric verification.

What Does Authentication Look Like After Deepfakes?

Deepfakes haven’t made biometrics obsolete, but they’ve forced a significant shift in how organizations use and trust them. What used to be seen as a “strong” authentication factor is now just one piece of a broader identity picture. 

The new approach to trust in authentication includes:

• Biometrics as supplemental, not primary: They support identity verification but no longer stand alone.
• Multi-signal identity validation: Physical biometrics must be combined with behavioral, contextual, and environmental signals.
• Advanced liveness detection: Systems must look beyond traditional liveness checks (e.g., blinking, smiling, head movement) to incorporate device telemetry, environmental consistency, and user behavior.
• MFA hardened against synthetic impersonation: Authentication workflows must assume attackers can mimic voices and faces, something that many took for granted up until now. 
• Continuous and adaptive verification: Identity isn’t validated once; it’s revalidated throughout the session based on evolving risk signals. 

Navigate MFA and Biometrics in an Age of Deepfakes with Lazarus Alliance

The era of “unspoofable” biometrics is over. What comes next will require us to be smarter, more layered, and more adaptive than ever before.

To learn more about how Lazarus Alliance can help, contact us. 

• FedRAMP
• GovRAMP
• NIST 800-53
• DFARS NIST 800-171
• CMMC
• SOC 1 & SOC 2
• C5
• HIPAA, HITECH, & Meaningful Use
• PCI DSS RoC & SAQ
• IRS 1075 & 4812
• CJIS
• LA DMF
• ISO 27001, ISO 27002, ISO 27005, ISO 27017, ISO 27018, ISO 27701, ISO 22301, ISO 17020, ISO 17021, ISO 17025, ISO 17065, ISO 9001, & ISO 90003
• And dozens more!