Every day, billions of people unlock their phones with a glance or a touch, treating biometric access as a form of security. But biometrics and data protection are not the same. A stolen password is simple to fix: you change it and move on. A stolen biometric, however, is a different story. Your fingerprint or facial scan cannot be reissued, reset, or replaced. It is permanently tied to your physical identity.
In mobile development, Face ID and fingerprint authentication are often treated as default security measures. For organisations, this can become a critical blind spot: biometric authentication is deployed without questioning whether the architecture beneath it is sound. But is this true security, or simply the most convenient door into a system where the real protection happens elsewhere?
We spoke with Andrii Mykytiuk about how biometric authentication actually works and why the rise of AI may be making biometrics increasingly asymmetrically risky over time.
Background & experience:
With more than 7 years of experience, Andrii specialises in iOS application development and cross-platform mobile solutions, building scalable applications, developing frameworks, and delivering high-quality user experiences.
1. Could you start by explaining the technology behind Face ID?
Andrii Mykytiuk: As someone who works in IT and system architecture, I increasingly notice that Face ID or fingerprint scanners are often perceived as "security itself". Users — and even developers — frequently assume that if a device unlocks with face or fingerprint recognition, it must be securely protected. From a technical standpoint, that's a misconception. Biometrics are an authentication mechanism that improves convenience when accessing protected data, but they are not a primary security boundary. Deploying Face ID or Touch ID improves the user experience, but it does not, in itself, harden the systems those users are accessing.
Face ID is a biometric authentication system based on facial recognition. Technically, the system analyses the depth, structure, and spatial relationships of facial features using specialised sensors, signal processing, and machine learning algorithms. The biometric data is transformed into a mathematical template and encrypted. It is stored locally on the device and processed exclusively on-device, without being transmitted to the cloud.
In the Apple ecosystem, these templates are isolated within the Secure Enclave, a dedicated coprocessor with its own microkernel architecture, protected memory, anti-replay mechanisms, and hardware-enforced rate limiting. A key engineering detail is that Face ID doesn't store a photo of the user's face. It stores a mathematical representation used for probabilistic matching.
2. Is fingerprint authentication fundamentally the same idea?
AM: Yes. Fingerprint authentication works in a similar way. A capacitive sensor reads the ridge pattern of a fingerprint, generates a digital template, and compares it against a reference stored in a secure hardware environment. A fingerprint isn't used as a password, isn't exposed to applications, and doesn't leave the protected module. From an architectural perspective, it is simply a trigger that authorises the use of cryptographic keys that are already hardware-protected.
3. Where does the real security come from in these systems?
AM: The real cybersecurity boundary is built on several layers that have nothing to do with biometrics directly. Device security is not built on biometrics, but on cryptographic keys, hardware isolation (Secure Enclave/TEE), rate-limiting mechanisms, brute-force protection, a secure boot chain, and hardware storage encryption.
Biometrics simply authorise access to these mechanisms. If you remove the passcode, biometrics stop working. The foundation of trust is knowledge, not biology. Something you know, not something you are.
4. You’ve made a strong case that biometrics are not a true security boundary. Could you walk us through the full reasoning behind that position?
AM: Yes, there are four main points I keep coming back to.
- The probabilistic nature. Any biometric system operates on probabilistic matching. Key metrics include FAR (False Acceptance Rate) and FRR (False Rejection Rate). Even if the FAR is 1 in 1,000,000, that is not zero probability. In cryptography, signature verification is deterministic. A signature is either valid or it is not. Biometrics are inherently statistical, not mathematically absolute.
- Non-revocability. A password can be changed, and a private key can be revoked, but biometrics cannot be replaced. This fundamental limitation prevents biometrics from serving as a sole security boundary.
- The attack surface. From a threat modelling perspective, biometrics do not reduce the attack surface, and in some cases, they expand it. These risks still exist: OS kernel attacks, privilege escalation, code execution, physical access to the device, hardware fault injection, and supply chain risks. Additionally, biometrics introduce new vectors: presentation attacks (masks, moulds, 3D models), coercion attacks, side-channel attacks on sensors, and attacks against biometric drivers. Modern systems implement liveness detection, infrared dot projection, depth mapping, and micro-movement analysis. However, these mitigate specific classes of attacks — they are not absolute guarantees.
- Legal considerations. In some jurisdictions, users can be compelled to unlock devices using biometrics, whereas disclosing a password may fall under different legal protections. This is another reason biometrics are not equivalent to a cryptographic secret.
When you look at all four together (the statistics, the permanence, the attack surface, and the legal exposure), the conclusion becomes difficult to avoid.
5: From a threat-modelling standpoint, how does the transition from passwords to biometrics change an organisation’s security risks?
AM: Honestly, fewer things change than most people assume.
Switching to biometrics does not eliminate most major attack surfaces. As digital transformation reshapes how organisations handle identity and access, it changes the authentication interface but not the trust architecture. If an attacker gains kernel-level access or control over the private key, biometrics will not stop them. They only change the method of locally unlocking cryptographic material.
6. That leads to an interesting follow-up: if biometric data were leaked, would that be considered a security incident or primarily a privacy breach?
AM: In my view, it is both. Consider what happens if raw biometric data is leaked outside the secure environment — fingerprint images or facial templates, for example. That is a security incident, because an authentication factor has been compromised. And unlike a password, that factor cannot be replaced.
At the same time, it is a privacy breach because biometric data is a unique identifier, is permanent, and is tied to a person’s physical identity.
A biometric leak is not just a temporary security failure. It is a compromise of part of someone’s digital identity. Decentralised storage of templates within the Secure Enclave significantly reduces the risk of large-scale incidents. However, centralised biometric databases introduce long-term systemic risks.
7. As centralised biometric databases grow, are breaches in this space fundamentally worse than password leaks?
AM: Yes, with a password breach, the response is straightforward: reset and reissue. With a biometric breach at scale, there is no equivalent remediation path. You cannot issue people new fingerprints.
What makes centralised biometric storage particularly dangerous is the combination of permanence and uniqueness. The same fingerprint or facial geometry that unlocks your phone today could, in theory, be used to compromise other systems across different platforms and jurisdictions for the rest of that person’s life. Stolen template data can be used to gain unauthorised access, to create physical spoofs, or even to track people across multiple systems without their knowledge.
The device-local model, where templates never leave the Secure Enclave, is architecturally sound precisely because it limits the blast radius. The problem arises when organisations or governments centralise this data for convenience, access control, or surveillance. Without a secure data platform architecture, a single breach no longer affects a single person's device but can compromise the permanent identity of millions.
There are emerging approaches designed to address this. Cancellable biometrics, for instance, apply non-reversible mathematical transformations to the template at scan time so that even if a database is breached, the stored records can be invalidated and regenerated. Biometric cryptosystems take a different approach, binding the template to a cryptographic key so that the key is only released upon successful authentication. These are promising directions. But they are far from universally deployed.
8. Does AI make biometrics asymmetrically riskier over time, or is that concern overstated?
AM: I believe it does. AI development creates an asymmetry across several vectors: deepfake video generation, 3D facial reconstruction, synthetic voice cloning, and high-resolution fingerprint reconstruction. Even if modern systems implement liveness detection and depth analysis, the cost of creating sophisticated attacks continues to decrease. Meanwhile, biometrics remain static while AI evolves. A password can be strengthened. A key can be replaced from RSA to ECC to post-quantum. A face cannot.
There is also growing research on template inversion, adversarial examples, and machine-learning-optimised spoofing. Even if these are currently limited scenarios, the long-term trajectory of AI development makes this a systemic risk.
9. How are biometrics positioned in the security stack, and how would you represent that architecturally?
AM: At the protocol level, biometrics effectively do not exist. They do not directly participate in TLS, OAuth, FIDO, or WebAuthn. I structure the security stack as follows:
- Hardware root of trust: Secure boot chain, isolated key storage, Secure Enclave.
- Key management layer: Asymmetric key pair generation, private key storage, anti-hammering, and brute-force protection.
- Local user authentication layer: This is where biometrics sit. They are not transmitted to the server, do not participate in the handshake, and do not form network identity. They merely authorise the use of the private key.
- Protocol layer: This layer handles digital signatures, certificate validation, and session key establishment. TLS, FIDO, OAuth, and WebAuthn all operate here. The server does not "see" your face or fingerprint. It sees a valid cryptographic signature. If you remove biometrics but keep the passcode, the protocol still works. If you remove the private key, biometrics become meaningless.
10. People are increasingly aware that they can request the removal of personal data from search results and data broker sites. Does that same digital hygiene logic apply to biometrics?
AM: With conventional personal data, your address, phone number, and email remediation paths exist. Google lets users request the removal of personally identifiable information from search results. Data brokers have opt-out processes. Tedious and imperfect, but your data can, in principle, be deindexed, deleted, or replaced.
Biometric data offers no such path. Once your facial geometry or fingerprint template is exposed, you cannot request a replacement. There is no ‘remove my face from the internet’ form. Your biometric signature is permanent and tied to your physical identity for life. Scrubbing your address from a people-search site is recoverable. A leaked biometric template is not.
11. So, where does the responsibility lie with users or with the organisations collecting this data?
AM: Squarely on the organisations. Users cannot meaningfully protect themselves from a breach they have no visibility into. The burden falls on architecture, data strategy and data governance.
Treat biometric data with a categorically higher standard than other PII. Prefer local, on-device storage. Avoid centralised repositories wherever possible. And if centralised storage is unavoidable, apply transformations, cancellable biometrics, and cryptographic binding that make stored data non-reversible. The asymmetry of harm demands an asymmetric standard of care.
12. Given everything we’ve discussed, what is the central lesson organisations should take away when implementing biometric authentication?
The central lesson is that biometrics should never be mistaken for the foundation of a security architecture. Face and fingerprint scanners can significantly improve usability and reduce friction for users, but they do not replace the underlying trust model that protects digital systems. Real security still depends on cryptographic keys, hardware-backed isolation, secure boot chains, and carefully designed authentication protocols. Biometrics simply provides a convenient way to unlock those protections locally.
For organisations, the risk emerges when convenience is confused with security. Treating biometric authentication as a primary safeguard can lead to architectural decisions that underestimate the permanence and sensitivity of biometric data. Unlike passwords or tokens, biometric identifiers cannot be reset after a breach, which means the consequences of poor data governance can persist indefinitely.
The practical implication is clear: organisations should treat biometric data with a higher level of caution than most other forms of personal information. Whenever possible, biometric templates should remain on the user’s device and never be stored in centralised databases. When centralised processing cannot be avoided, systems must be designed with additional safeguards such as template transformations, cryptographic binding, and strict data governance controls.
In other words, biometrics can be a powerful usability layer, but they are not a substitute for sound security architecture. Organisations that recognise this distinction and design their systems accordingly are far better positioned to protect both their infrastructure and the long-term digital identities of the people who rely on it.
13. What is the bottom line on biometrics and security?
AM: Biometrics are a powerful and convenient local authentication mechanism. But they do not eliminate key attack surfaces, are not protocol-level controls, and do not establish root trust. Face ID and fingerprint authentication are simply a UX layer on top of cryptography.
Real security is built on cryptographic keys, hardware isolation, sound architecture, key management, and thoughtful threat modelling.
Related insights
The breadth of knowledge and understanding that ELEKS has within its walls allows us to leverage that expertise to make superior deliverables for our customers. When you work with ELEKS, you are working with the top 1% of the aptitude and engineering excellence of the whole country.
Right from the start, we really liked ELEKS’ commitment and engagement. They came to us with their best people to try to understand our context, our business idea, and developed the first prototype with us. They were very professional and very customer oriented. I think, without ELEKS it probably would not have been possible to have such a successful product in such a short period of time.
ELEKS has been involved in the development of a number of our consumer-facing websites and mobile applications that allow our customers to easily track their shipments, get the information they need as well as stay in touch with us. We’ve appreciated the level of ELEKS’ expertise, responsiveness and attention to details.
