Biometric Authentication.
Verifying a person's identity by measuring a physical or behavioral trait — fingerprint, face, voice, iris, typing rhythm — that is unique enough and stable enough to distinguish one user from another.
The recurring misconception: that biometric authentication sends your fingerprint or face data to the relying party. In modern implementations (passkeys, FIDO2, Apple Sign In, Google Sign In, Microsoft Hello) it does not. The biometric is verified locally by the device's secure enclave; the relying party receives only a signed assertion that the verification succeeded, plus the public-key signature that proves possession of the credential bound to that device.
Liveness detection (defeating photo attacks and deepfakes) is part of any production face-recognition deployment in 2026. Apple's Face ID uses depth sensing; Android Pixel face unlock uses a similar 3D sensor; lower-end Android implementations that rely on 2D cameras alone are not classified as Class 3 biometric and cannot unlock high-assurance flows.
Common questions
Is biometric authentication safe?
Where is my fingerprint actually stored?
Can biometric authentication be hacked with a photo?
Related terms
In the guides
FIDO2 Explained: CTAP2, WebAuthn, and Where Security Keys Still Win
FIDO2 is the umbrella for WebAuthn (browser API) plus CTAP2 (the authenticator protocol). How the pieces fit, when to require security keys, and how passkeys changed the deployment model.
Multi-Factor Authentication (MFA): A 2026 Practitioner's Guide
How to roll out MFA in CIAM in 2026: factor selection, adoption, recovery design, anti-patterns, and where SMS OTP no longer meets the standard.
Passkeys Explained: How Synced Credentials Replace Passwords
Passkeys are the user-facing brand for synced WebAuthn credentials. A practical explanation of how they work, sync, recovery, and the deployment patterns that make adoption real.
WebAuthn Explained: How Passkeys Work Under the Hood
WebAuthn is the W3C browser API that powers passkeys. A practical explanation of registration, assertion, RP-IDs, attestation, and the architecture choices that determine adoption.