Biometric Authentication
Using physical or behavioural characteristics — such as fingerprints, face geometry, iris patterns, or voice — to verify identity instead of or in addition to passwords.
Also known as: fingerprint login, face recognition login, biometric ID
Last reviewed: 10 June 2026
Biometric authentication recognises that physical and behavioural traits are inherently tied to a specific individual and difficult to replicate. Fingerprint scanners, facial recognition, iris scanners, and voice recognition all convert a measured characteristic into a numerical template, which is compared against a stored reference during authentication. Behavioural biometrics extend this to typing rhythm, mouse movement, and gait.
Biometrics offer genuine convenience advantages over passwords but introduce unique risks. Unlike a password, a compromised biometric cannot be changed. A stolen biometric template represents a permanent, irrevocable loss of that authentication factor. For this reason, security best practice stores biometric templates on the local device rather than on a server, and the FIDO2 standard enforces this: your fingerprint unlocks the local cryptographic key, but the fingerprint itself never leaves your device.
Biometric authentication is also subject to presentation attacks (using photos or 3D models to spoof sensors), though liveness detection mitigates this. For consumers, the key consideration is not whether to use biometrics — they are generally more convenient and at least as secure as a PIN — but to ensure services using biometrics process them with on-device storage and strong liveness detection.