Touch ID launched in 2013. Face ID followed in 2017. By 2026 it's unusual to find a smartphone without biometric unlock, a laptop without Windows Hello, or a bank app that doesn't offer fingerprint login. The adoption is driven by a real advantage: biometrics dramatically improve security compliance. A PIN that people forget to enable is worse than a biometric that's always active.
But biometrics are not passwords, and treating them as interchangeable — just a more convenient kind of secret — misunderstands what they are and how they fail. The failure modes are categorically different from passwords, and in important ways, worse.
What Biometrics Are (and What They Aren't)
Authentication methods are traditionally classified into three factors: something you know (password, PIN), something you have (hardware token, phone), and something you are (biometric). Biometrics fall into the third category.
A password is a shared secret: a string of characters that only you and the authenticating system know. Verification is exact — the password either matches or it doesn't. A biometric is not a secret in the same sense. Your fingerprints are on everything you touch. Your face is photographed in public spaces. Your voice is recorded in countless contexts. Biometrics are identifying attributes, not secrets. The authentication system doesn't verify that you know the secret — it verifies that what you present is sufficiently similar to a stored template.
That "sufficiently similar" comparison is important. Unlike a password, biometric matching uses a similarity threshold. Systems set a False Acceptance Rate (FAR) — the probability an impostor is accepted — and a False Rejection Rate (FRR) — the probability the legitimate user is rejected. Apple claims Face ID achieves a FAR of approximately 1 in 1,000,000; Touch ID claims 1 in 50,000. These numbers are measured under controlled conditions. At the scale of hundreds of millions of daily unlock attempts, even small FARs translate to real-world access events.
The Legal Asymmetry Most People Don't Know About
In the United States, the Fifth Amendment protects against compelled self-incrimination. Courts have consistently held that this protection applies to testimonial evidence — information drawn from the contents of your mind. A password or PIN is testimonial: forcing you to provide it compels you to reveal something you know.
Physical evidence is treated differently. DNA samples, handwriting exemplars, and voice samples have long been compelled by courts. Biometrics fall into this category in most US jurisdictions. Multiple federal courts have ruled that law enforcement can compel a person to provide a fingerprint or face to unlock a device — without a warrant in some circuit interpretations, and certainly over the person's objection — because the act of presenting a biometric is physical evidence, not testimony.
In most US jurisdictions, you cannot be compelled to reveal a password or PIN — it's protected testimony. You can be compelled to provide a fingerprint or face scan to unlock a device. If you're detained and your phone contains sensitive information, a PIN provides substantially stronger legal protection than biometric unlock.
This is not an edge-case concern for activists or criminals. It's relevant to anyone whose device might be examined at a border crossing (Customs and Border Protection has broad authority to search devices at ports of entry), in a police stop, or following an arrest regardless of whether charges are filed.
When Biometric Databases Are Breached
In 2015, the United States Office of Personnel Management announced a breach of federal employee records that included the fingerprints of approximately 5.6 million current and former federal employees and contractors — people with security clearances, law enforcement backgrounds, and intelligence positions. The records were taken by Chinese state-sponsored hackers. The fingerprints of those 5.6 million people are permanently compromised. There is no remediation. You cannot reissue fingerprints.
India's Aadhaar system — a national biometric identity database covering over a billion people — has experienced multiple reported unauthorized access incidents. The biometric templates of enrolled individuals, once exposed, are exposed permanently. Unlike a password database breach where users can rotate credentials, biometric breaches are irreversible by design.
This matters more as biometrics become more widely used for authentication. If you use your fingerprint to unlock your phone, log into your bank, verify your identity at a government office, and check in at an airport, a single database compromise somewhere in that chain potentially undermines your identity verification everywhere in that chain.
Presentation Attacks: Fooling the Sensor
Biometric sensors can be spoofed. The sophistication required varies by system and implementation.
Early fingerprint sensors were defeated by lifted prints transferred to gelatin or silicone molds — a technique demonstrated in academic research and confirmed by security testers. Modern capacitive sensors are more resistant but not immune. Some ultrasonic sensors (used in certain in-display fingerprint readers) have been successfully spoofed with 3D-printed models of fingerprints derived from photographs.
Face recognition attacks vary by implementation. 2D face recognition (older implementations) was routinely defeated by high-quality photographs. Apple's Face ID uses structured light depth mapping and is substantially more resistant to static photo attacks. Android implementations vary widely in quality — some use the front-facing camera only, with weaker depth analysis. Security researchers have demonstrated attacks against various Android face unlock implementations using photographs and 3D masks.
| Biometric Type | Revocable? | Legal Protection (US) | Spoof Resistance |
|---|---|---|---|
| Fingerprint | ✗ No | Weak (physical evidence) | Moderate (varies by sensor) |
| Face (depth-mapped) | ✗ No | Weak (physical evidence) | Good (3D liveness) |
| Face (camera only) | ✗ No | Weak (physical evidence) | Poor (photo attacks) |
| PIN / Passphrase | ✓ Yes | Strong (testimonial) | N/A (exact match) |
Where Biometrics Make Sense
None of the above means biometrics are useless. Their genuine advantage is friction reduction, which translates directly into security compliance. A person who uses biometric unlock on their phone is far more likely to have enabled device encryption than a person who disabled the lock screen to avoid typing a PIN. The biometric is the mechanism that makes the security feature usable enough to leave on.
Biometrics work well as a second factor alongside something you know, rather than as a replacement. Using Face ID to unlock your phone, but requiring a PIN for your password manager and your two-factor authentication codes, maintains the convenience while preserving a PIN-protected layer for your most sensitive access.
Passkeys represent an interesting middle ground: they use device-side biometric authentication to authorize a cryptographic operation (signing a challenge with a private key stored on the device), but the biometric never leaves the device and the authentication system never receives biometric data. The server learns only that you successfully authenticated to a device that holds the key. This is architecturally different from submitting biometric data to a cloud system.
Practical Guidance
- Use biometrics for device unlock — convenient, and the device stores templates locally
- Use a PIN/passphrase for high-value apps — password managers, banking apps, secure messaging
- Understand your jurisdiction's legal framework — in some circumstances, a PIN offers materially better protection
- Prefer passkey-based authentication over systems that transmit biometric data to servers
- Be cautious with national biometric registries — enrollment in centralized biometric databases for non-essential services carries permanent breach exposure
The technology will keep improving. Liveness detection, anti-spoofing measures, and on-device template storage are all genuine advances. But the fundamental irrevocability of biometric identifiers doesn't change with better sensors. That constraint is worth building your authentication strategy around, rather than discovering after a breach.