The bad news is that biometrics systems, which are starting to replace the password, come with some big security risks of their own.

The idea of biometric security, if you’re unfamiliar, is that people use some distinct body attribute—such as a fingerprint, iris, or heart rate—to prove one’s identity instead of a password. Such features are already common in everyday devices like Apple’s iPhone, which allows its owner to authorize a payment with a fingerprint.

The advantage of biometric security features is that they are very hard to copy, and consumers don’t have to remember them. Contrast this with passwords, which hackers can break because they are obvious (many people still use standbys like “12345”) or through the guessing power of a computer.

Get Data Sheet, Fortune’s technology newsletter.

Unfortunately, biometric data can also be hacked. There have already been a number of large scale breaches, including a 2015 incident in which the fingerprints of 5.6 million workers were stolen from the Federal Government Office of Personnel Management.

Even worse, when biometric security is compromised, the damage is long-lasting. You can change your password after a data breach, but you can’t change your fingerprint.

The looming risk for consumers is that more organizations, including companies and governments, will build databases of biometric identifiers in order to conveniently identify them. Such databases are a security risk and, for companies, a legal minefield.

As a new report by PricewaterhouseCoopers points out, different countries have widely different privacy laws about the collection and transfer of biometric data. Any company who holds such data—either directly or through a third party cloud computing provider—will find themselves in a world of regulatory pain if that data is stolen or misused.

For a closer look at biometrics and passwords, watch:

The news isn’t all bad, however. There’s a growing awareness that the solution to protecting biometric data is for companies to not retain this sensitive information in the first place. Instead, advises the PwC report, the alternative is they should rely on a system where the biometric information is stored only on the user’s device rather than a centralized server.

In practice, this involves a consumer grafting one or more biometric identifiers, perhaps a thumbprint and a voice signal, onto a phone or computer. Then, when the consumer does business with a third-party like PayPal or another website, his or her device and the website swap confirmation signals (sort of like the two sets of codes used in nuclear security) in order to verify identity.

This, for example, is how the iPhone’s Apple Pay (AAPL) works. Apple does not actually transmit a copy of the user’s thumbprint to a merchant, but instead, it provides a one-time confirmation signal to authorize the payment. Such arrangements are already becoming standardized, through protocols such as one called FIDO, that include device makers and companies in the tech and financial industries.

The bottom line is that, as governments and companies embrace biometrics, they should resist the temptation to create central databases and expose consumers to even greater risks than the insecure world of passwords.