TL;DR: although users perform the same ceremony whenever responding to a biometric prompt, the way the underlying system uses the results can make a world of difference in terms of privacy and security. The key questions users need to ask themselves: does my biometric info ever leave the collection device?
Our daily life is increasingly punctuated by moments in which some machine probes some part of our body before granting us access to something. Your iPhone wants to take a good look at your face before letting you in, and so does your Windows laptop; Android devices and MacBooks might want a little caress with your thumb before unlocking themselves; while wheeling your cabin luggage thru an airport, you might exchange a snap of your iris for faster security lines, biometric gates might let you in a country faster if only you let them compare your passport with your facial features, and some airlines will let you board with nothing more than a smile for their camera. Even doing groceries nowadays might require a piece of you, as the palm readers in Amazon’s owned Whole Foods shops don’t seek to tell your fortune (to you, anyway) but to authenticate you and connect to your customer persona.
All those examples might look more or less the same; save the particular part of your anatomy each machine is into. In fact, those examples can be divided into two crucial categories: the ones where your biometric data is validated by the same device performing the collection and the ones where your biometric data are sent to a centralized database and verified against a copy of your biometric template held there.
This distinction is very important, as it determines what can be achieved with the strategy — and at what cost.
On-Device Biometric Authentication
When you unlock your phone or laptop using your face or your fingerprints, you are usually providing data for a local check.
This is why you always need to enroll anew whenever you get a new device! When the iPhone asks you to do that funny neck stretching exercise in front of the camera to initialize FaceID, or your Mac asks you to touch the fingerprint sensor several times to set up TouchID, it is acquiring what in jargon is known as a biometric template: a mathematical representation of some salient landmark points that make your face or fingerprint unique, and that are easy to look for and compare during future scans. Crucially, you enroll when the device is in an unlocked state: and once the biometric data is saved in the local device (and the local device only), from now on, you can perform a face or fingerprint to prove that you are the same user that unlocked device at enrollment time. There is no magical property that proves that it is really you, as in your legal persona as a citizen, etc. — it’s just a convenient way to unlock your device without entering a PIN. Want proof? Enroll one of your spouse’s fingers in TouchID, and they will be able to unlock the device just as well as you do.
Public Key Cryptography, FIDO, and Stationery
What about things like FIDO and WebAuthn? What happens when you protect a website using FIDO credentials and platform authenticators in particular? Pretty much the same thing, though the operation being gated by the biometric prompt is a bit different.
If you want a refresher on how FIDO authentication works, you can check the Identity, Unlocked episode with John Bradley about it. But in a nutshell: FIDO2 authentication relies on public key cryptography. When using passwords, a website saves a shared secret and then checks whether the user knows that secret at sign-in time. When using public key cryptography, conversely, the website asks the user to perform something that no one else can do.
Imagine you have a rubber stamp so intricate that it’s impossible to reproduce just by looking at the imprints it produces. Someone wants to start corresponding with you via snail mail, and they want to make sure all the future letters you send are truly from you. To do so, they start by handing you a piece of paper with some random text they generated for the occasion. You stamp it with your magic stamp and hand it back to them; they place it in safe storage with your name on it, and your enrollment is complete.
Next time you want to send them a letter, they send you another piece of paper with more random words they generated specifically for this. You use your stamp to imprint the stamped sign on the new random words and send it back. That proves to them that it’s really you sending this letter because no one else has access to your magic stamp… and it proves that the letter is really for you because the stamp has been applied to the random words you generated for this exchange.
How is this better than passwords? Well, the rubber stamp never leaves your home: it cannot be stolen in transit, and it cannot be reproduced. You cannot be tricked into putting it in an envelope and sending it to some scammer, as is the case with passwords. You just use the rubber stamp, and what’s evaluated by the recipient is your ability to do so (hence, your possession of it).
Public key cryptography works more or less like that. There is a private key that never leaves the device of origin (with one notable exception, see below), and that can be used to perform a so-called digital signature on data- a mathematical operation that generates a unique string representing the combination of the private key and signed text. And there is a public key, which can be used to verify that the signature was actually performed with its corresponding private key and that the signed data haven’t been tampered with. Websites can sign up users by sending some random data (the challenge, in WebAuthn terms) and receive it back signed, alongside the public key corresponding to the private key performing the signature. If the signature match, the website can save the public key (alongside some identifiers, like a username) in the user record. Subsequent sign-ins will do the same dance, validating that the user has access to the private key corresponding to the public key on record. Way better than passwords, for many reasons, but I won’t dwell on them here — see this whitepaper for a good WebAuthn primer.
Where does biometrics come into play? Well, biometric checks are typically used to unlock access to the private key required to perform the signature during sign-up (during which it might be created, actually) and sign-in. This is important: from the website perspective, what’s really being used for authentication is something you have, the private key you are proving possession of by performing a signature. The fact that the local device used something you are, a different factor, cannot be directly verified by the website. In fact, it is not uncommon for failed biometric checks (hello, face masks during the first months of Covid lockdowns) to fall back on PIN, something you know, without substantially changing the authentication scheme described above.
To reprise the rubber stamp metaphor: Imagine you keep your rubber stamp in a fireproof box locked with a fingerprint-operated padlock. How you unlock the fireproof box doesn’t change the stamp you’ll affix on the letter for your correspondent, nor will your correspondent know where you keep your rubber stamp or how you access it. It’s not entirely accurate in all cases (see authenticator’s attestations) but close enough for our purposes here.
The fact that in this approach, your biometric template never leaves the device is great from the privacy perspective. Bad actors acquiring your biometric template would be a disaster: they could start to track you, impersonate you… and there’s no way of revoking your biometric data.
End users are usually blissfully unaware of all this. Their experience is consistent with using a “something you are” factor; hence they might expect behaviors in line with other biometric prompt solutions relying on centralized databases — for example, the ability to use one’s biometric to authenticate through a kiosk in a location they never visited before. They don’t realize that the “something you are” factor was used just to unlock a “something you have” factor (the key residing on the local device), nor the different implications in terms of privacy & security this entails.
Note: you might have heard that with passkeys, your credentials are backed up to the cloud, synced, and available on all your connected devices. You might even have heard it from yours truly! The important thing to realize is that although keys are backed up, biometric info stays on the local device: that's how the same passkey is unlocked via FaceID on my iPhone and via TouchID on my Mac.
Remote Biometric Check (1:N verification)
The other use of biometrics is probably the one that best aligns with intuition, as in the one tied to your “true” identity (whatever that really means). You show up in person somewhere, your identity is verified, and your biometric data is acquired - often with devices and processes more elaborated than what you experience with consumer-grade devices. This will typically happen with government institutions. Green card holders, passport holders, and known travelers all experienced their fingerprints (all of them!), iris, and face images being acquired. Visitors to foreign countries can typically expect their pictures and fingerprints taken.
The resulting data ends up in government databases (the Department of Homeland Security in the USA maintains IDENT — a database of biometric data of every international traveler entering the United States) and government-issued artifacts like biometric passports. This makes it possible to raise the assurance levels of identification while giving users levels of convenience never achieved before. For example, participants in the Global Entry program can now re-enter the USA after an international trip by barely slowing down in front of a kiosk that uses facial recognition to recognize incoming passengers and a border officer that consults a gallery of all expected passengers. That certainly beats that one time a few years ago when I had to wait two hours in line at passport control because I was queued right behind a hundred Chinese nationals, and the border only had one interpreter available!
Convenience, however, has a flip side. Your biometric template cannot be revoked, and if it were ever to be leaked to bad actors, it could lead to all sorts of grave abuses- from tracking your presence anywhere to impersonating you.
The fact that custodians of the data are government agencies, with big budgets devoted to security and responsibilities toward citizens, should inspire a modicum of trust — but supply chains are long, and accidents are bound to occasionally happen (as was the case in a biometric data leak at the Custom and Border Protection agency four years ago).
The thing is — when it comes to the government, we often have little choice. Some initiatives, like the recent experimental use of facial recognition by TSA in airports for speeding up boarding operations, do offer an opt-out option (and are sparkling protests). However if you want to enter the USA, or work here, you simply cannot get out of having your biometrics taken.
Private businesses, however, are a different matter. Subscribing to CLEAR, the service that allows you to enter airport security lines and events venues without exhibiting documents just by having your irises or fingerprints scanned, is an entirely voluntary action. The same goes for Amazon One, the palm-based identification system that lets you pay for your groceries just by hovering your palm over a reader… thanks to your biometric template data being stored on the Amazon cloud. Those services can be extremely convenient… but no one is invulnerable to data breaches, and in the absence of laws regulating how biometric data should be stored and used by private companies (or the consequences of mismanagement spelled out), it’s a risk.
Now What?
There you have it. Now you know that not every biometric prompt is created equal. You know why iPhone asks you to re-enroll to FaceID and TouchID every time you get a new device (because the biometric data never leaves the device, which is good for privacy). You know that FIDO2 authenticators when they use biometrics, rely on the same mechanism. You even got a primer on digital signatures!
What should you do with the knowledge that some services store biometric info in centralized locations, off the device, and associated risks? Well, that is truly up to your personal utility vs. risk function. In my case, I do subscribe to CLEAR as I travel really a lot, and I find it very convenient... but I don’t (yet?) do groceries nearly enough to overcome the concerns I have about storing my palm in the cloud.
Finally, putting my architect hat on, I want to close by stressing that we strive to offer privacy standards that meet our customer's needs by default in our services, and in the services, you can build for your customers on our platform. If you have questions, feel free to contact me below or on Twitter.
About the author
Vittorio Bertocci
Principal Architect