ADVERTISEMENT

Using biometric authentication safely

Using biometric authentication safely
Konstantinas Kofanovas
Konstantinas Kofanovas Tech Content Writer
Dec 16, 2024 Updated: 25 July 2025 12 min read

What makes biometrics secure (if done right)

  • Liveness detection. Most biometric systems go beyond scanning your face or fingerprint. They also use liveness detection, which ensures you’re actually the one in front of the camera, not a photo or video of you.
  • Storage and encryption. Secure storage and robust encryption are vital for protecting biometric data. If properly implemented, they keep this data safe from unauthorized access and ensure that even if data is compromised, it remains encrypted and unusable.

Liveness detection

  • Active detection requires you to perform an action, like blinking or moving your head, to prove you’re alive.
  • Passive detection works quietly in the background, looking for subtle movements or changes in your face, such as the warmth of your skin or slight shifts in your features.

Encryption and storage

1. Cloud storage (data centers)

2. Local device storage (iOS, Android, macOS, Windows)

  • iOS (Apple) uses its Secure Enclave to store your biometric data (Face ID, Touch ID) on the device itself, encrypted. This means even if your iPhone is hacked, your biometric data is protected.
  • Android devices use Trusted Execution Environments (TEEs), which are similar secure environments that store biometric data safely, also encrypted.
  • Windows (Microsoft) devices use Windows Hello, which stores facial and fingerprint data locally in the device’s TPM (Trusted Platform Module), another secure storage area.
  • macOS offers Touch ID to store biometric data in a secure enclave similar to iPhones.
  • iPhone. Biometric data is automatically stored locally in the Secure Enclave. To ensure this, you can disable iCloud syncing for your fingerprints or Face ID (though iCloud doesn't generally store this data).
  • Android. Check under your Settings > Security > Fingerprint (or Face Recognition) to confirm your biometrics are stored locally.

How biometric authentication works

Common biometric systems: the basics

  • Face recognition uses the unique features of your face – like the distance between your eyes or the shape of your chin. If your phone unlocks when you look at it, that’s facial recognition at work.
  • Fingerprint scanning is one of the oldest and most common methods. It analyzes the unique ridges and patterns on your fingertip, converting them into a digital code.
  • Iris recognition is the fancy tech that scans the colored part of your eye. It’s incredibly precise, making it nearly impossible to fake.
  • Voiceprints leverage your voice, which is as unique as your fingerprint. By analyzing the tone, pitch, and rhythm of your speech, voice recognition systems can identify you with surprisingly high accuracy.

Protecting your biometric data

1. Only upload biometric data to trusted, secure platforms

2. Enable multi-factor authentication

  • iPhone. Go to Settings > Face ID and Passcode or Touch ID and Passcode and ensure you have a strong passcode (6 digits minimum). Combine this with Face ID or Touch ID for an added layer of security
  • Android. Head to Settings > Security > Screen Lock, then choose PIN or Pattern as your first layer of security. You can add Fingerprint or Face Unlock for an additional factor
  • Google. Go to Google Account Security Settings and turn on 2-Step Verification
  • Facebook. Go to Settings > Security and Login and choose Use two-factor authentication
  • Banking apps. Most modern banking apps support MFA. Check the security settings in your bank’s app
ADVERTISEMENT

3. Enable liveness detection

4. Regularly update your device's software

  • iPhone. Go to Settings > General > Software Update and enable automatic updates to make sure you get the latest patches.
How to enable auto updates on ios
  • Android. Go to Settings > Software Updates and turn on automatic updates for both system and security patches.
wifi software update android

What to do if your biometric data gets compromised

  • Change your passwords. Just like you would change your email password if your account was hacked, update your security credentials on any account tied to your biometrics. It’s time to ditch the single point of failure.
  • Monitor your accounts. If your biometric data is compromised, there’s a chance other personal data is at risk too. Regularly check your bank, credit cards, and social media accounts for unauthorized transactions or activity. Get proactive.
  • Consider adding more layers of security. Think Multi-Factor Authentication (MFA), especially on critical accounts like email or banking. By combining biometrics with something you know (a PIN, for example), you’re not relying on one weak point.
  • Get a credit freeze or fraud alert. If the breach is severe enough, consider putting a fraud alert on your credit file or even a credit freeze. This won’t prevent the breach from happening, but it will make it much harder for anyone to misuse your data for identity theft.
  • Use a password manager. It simplifies managing strong, unique passwords for each account and alerts you if your credentials are compromised. A reliable password manager adds an extra layer of security by preventing password reuse and ensuring you're notified about potential breaches.

Common vulnerabilities and how hackers exploit them

The art of spoofing: 3D masks, deepfakes, and more

  • 3D masks and fingerprints. This is one of the most well-known spoofing techniques. Hackers can create realistic 3D masks of your face or even a mold of your fingerprint using a 3D printer and some creative engineering. Face recognition systems that rely only on 2D images can be easily fooled by holding up a high-resolution print or, even better, a 3D model of your face.
  • Deepfake videos. You’ve probably seen the viral deepfake videos where celebrities’ faces are swapped into other people’s bodies, or their mouths are made to say anything. Turns out, deepfakes are a real problem when it comes to voice recognition systems too. Hackers can use AI to generate a video or audio clip of your face or voice, tricking systems that rely on these biometrics for authentication. Essentially, it’s an AI-generated impersonation. Welcome to the future, where it’s not just hackers who can fake things – machines can too.

Recent breaches: when biometrics failed (and it was ugly)

  • The 2023 Outabox data breach compromised the personal information of over a million Australians who visited various clubs and pubs. The incident is linked to a cyber extortion campaign and is currently under investigation by police​
  • Another well-known security breach, led by Noam Rotem and Ran Locar, uncovered Suprema's BioStar 2 security platform. This breach compromised sensitive data, including over 1 million fingerprint records and facial recognition information.

Techniques hackers use to bypass biometrics

  • Camera hacks. Some systems, especially those relying on facial recognition, are fooled by high-quality photos or even videos. If the system doesn’t have proper liveness detection, a hacker could hold up a high-res picture of your face and unlock your phone. Even the best systems sometimes don’t account for the difference between a living person and a printout.
  • Spoofing with fake fingerprints. This one’s pretty simple – malicious hackers use 3D printers/silicone molds. With access to some basic tech and a bit of know-how, someone could create a mold of your fingerprint and use it to bypass fingerprint recognition systems. It’s not a casual thing, but it’s totally doable if the system isn't equipped with anti-spoofing features.
  • Voice spoofing. If a voice recognition system is the only thing protecting your device or account, someone could use deepfake audio to gain access. It's chilling when you realize that, in some cases, these systems don’t even require perfect mimicry to be effective.

The future of biometric authentication

Future of biometrics
Future of biometrics • image by DALL·E AI system

On-device storage and AI-powered security

User control over biometric data

Behavioral biometrics

Conclusion

ADVERTISEMENT