Biometric Authentication

Biometric authentication uses a physical characteristic, such as a fingerprint, face, or iris, to confirm a person’s identity. In modern consumer authentication the biometric almost always stays on the device. A fingerprint or face check unlocks a key stored in the device’s secure hardware, and it is that key, not the biometric, that proves identity to the service.

This local model matters for privacy and security. The sensitive biometric template never leaves the device, so there is no central biometric database to breach, and the website only ever sees a cryptographic signature.

This is exactly how passkeys and FIDO2 work: the biometric is the local gesture that releases the private key. For CIAM, biometrics on the device deliver strong, low-friction authentication, which is different from server-side biometric matching used in some identity verification flows.

Sources

• NIST SP 800-63B, Authentication and Lifecycle Management: https://pages.nist.gov/800-63-3/sp800-63b.html