Why Passkeys Rely on Biometric Authentication

1. What is Biometric Authentication?#

Biometric Authentication refers to a cybersecurity process that involves the use of unique biological characteristics of individuals such as irises, voices, facial characteristics, and fingerprints to verify a users identity. This process is used to authorize access to a web-based application, system, or device. In contrast to identification that asks "who are you?", authentication asks "are you who you say you are?". To access a web-based application, a users biometric information is compared against one submitted and stored in a database to determine whether the person that is attempting to log in is actually who they claim to be. On the other hand, to access a device like an iPhone or a laptop, biometric information is not stored in a database but on the device itself, which it never leaves.

The word biometric is a combination of two words: bio (human) and metric (measurement). In other words, biometrics are any metrics related to human features which make an individual different from other individuals.

Biometric data is unique to individual users, and Biometric Authentication is generally more secure than other forms of authentication. Biometric Authentication is a rapidly growing technology that can help businesses ensure that only the right people access sensitive information.

2. Types of Biometric Authentication#

Several biological characteristics can be used as biometric credentials as long as they are distinguishable and measurable. Some popular types of Biometric Authentication technologies include:

• Fingerprint recognition: high-resolution scans to map and compare distinct ridges and valleys of peoples fingerprints. Scanners are either optical, capacitive or ultrasonic.
• Voice recognition: analyzes the unique sound characteristics, including duration, dynamics, intensity, and pitch, produced by a persons jaw, mouth movements and individual throat shape.
• Facial recognition: turns the contours and measurements of a persons face into a unique numerical code called a faceprint.
• Iris and retina recognition: uses the unique pattern of someones iris or retina i.e., the portion of color for iris scans and the pattern of blood vessels for retina scans.

3. How does Biometric Authentication work?#

Biometric Authentication works by comparing the biometric information a user presents with the preset biometric template thats associated with the account or device the user is attempting to access. In web-based applications, biometric templates are typically stored on the users own smartphone, tablet, or laptop and verified locally using their devices native technology like Apples Touch ID or Face ID. If the two datasets are nearly identical, the device detects a match, and sends a security token to the service provider to grant access. This local storage of the biometric information on the device prevents attack vectors such as deep fake impersonations, but it also means that Biometric Authentication is typically not interoperable across devices unless a user has enrolled themselves independently on each device.

Thereby, the match between the two datasets must be nearly identical but not exactly identical. The reason for this is that it is almost impossible for two biometric datasets to match 100%. For example, the user might have slightly sweaty fingers or a tiny scar that changes the print pattern.

Designing the process of Biometric Authentication requires to balance the risk of false negatives (the device doesnt recognize the biological characteristics) with false positives (the device does accept fake biological characteristics). Due to modern technologies relying on neural networks and large amounts of available data, Biometric Authentication processes are very well balanced today. For instance, the chance that Apples Face ID gets confused by scanning the faces of twins is approximately 1:1million.

4. Advantages of Biometric Authentication#

If implemented correctly, Biometric Authentication can help your business ensure that only the right people have access to sensitive information and users have a convenient and easy authentication experience.

4.1 Enhanced Security#

Because Biometric Authentication is based on a users unique characteristics, it cannot be lost, forgotten, or guessed. Also, in contrast to the process of entering a password, biometric information cannot be seen or observed by a third party. This makes it a more safe and secure authentication option compared to password-based authentication. Additionally, Biometric Authentication offers best-in-class security by ensuring that a user demonstrates both possession of an original device and a unique biometric trait such as a face scan or fingerprint.

4.2 Reduced Friction#

Convenience and ease of use is the second advantage of Biometric Authentication. Its much easier for users to glance at their phone or tap a sensor to unlock a device or log in to an app than it is for them to enter (and remember) a password. Biometric Authentication reduces friction, which, in turn, can increase user conversion and retention.

5. Issues with Biometric Authentication#

Despite being a highly secure authentication method, Biometric Authentication still bears some potential risks if not implemented properly.

5.1 Spoofing#

Hackers may use a photo, voice recordings or fingerprint replicas to trick biometric scanners. However, scanning faces in 3D as it is done with Apples Face ID and Windows Hello eliminate this risk.

5.2 Usability#

Biological characteristics such as the face appearance or the sound of the voice slightly change as people get older. This can lead to false rejections and hence reduce the convenience for users. However, as scanners and algorithms constantly evolve, false rejections seldomly occur today. For instance, modern face scans provide reliable results even if people wear masks or glasses.

5.3 Privacy Issues#

Biometric data is highly sensitive, and people are understandably wary of storing it in centralized databases or transferring it between systems that are vulnerable to a breach. Therefore, it makes sense for app developers to use device-based biometrics for their applications. Using Apple and Android biometric technologies allows them to avoid many liabilities, and device-based methods are becoming increasingly easy to implement.

6. How are Passkeys and Biometric Authentication Related#

In order to integrate Biometric Authentication into a web application, developers can code the flow from scratch, which is time consuming and often complicated, especially with a diverse user base with respect to devices and platforms. Alternatively, developers can take advantage of passkeys, that offer a solution to authenticate users via the built-in hardware infrastructure and technology of devices such as Face ID or Windows Hello. Passkeys rely on cryptographic processes, where the private keys that are stored on the device are protected by the Biometric Authentication technology of the respective device.

Support of devices is now reaching a critical mass (approximately 90% of global devices already support passkeys) and the integration of passkeys into native- and web apps has never been simpler and more intuitive. Good passkey solutions abstract the details for developers to make it as quick as possible to implement. Further, they enable easy to build biometric logins alongside other authentication methods to support cross-device access, account recovery and user migration.

7. Conclusion: Integrate Biometric Authentication Today#

Corbado is leading the way in easy-to-implement passkey solutions that boost security and increase conversions. Increasingly more digital first movers like eBay, PayPal, Kayak and others already implement passkeys. If you are interested in integrating Biometric Authentication with passkeys into your application, check out Corbados solutions. Sign up for a free account to get started.

Frequently Asked Questions#

How do passkeys actually use biometric data to authenticate a user?#

When a user authenticates with a passkey, the device's built-in biometric technology (such as Face ID or Windows Hello) unlocks a locally stored private key through a cryptographic process. The biometric check happens entirely on the device, and only a security token is sent to the service provider. Biometric data never leaves the device, eliminating exposure to remote database breaches.

What is the difference between biometric identification and biometric authentication?#

Identification asks 'who are you?' and establishes a person's identity, while authentication asks 'are you who you say you are?' and verifies a claimed identity against a stored template. In web applications, biometric templates are stored locally on the user's device and checked by the device's native technology. This distinction is important for developers designing access control flows with the correct verification logic.

Why should developers use passkeys instead of building biometric authentication from scratch?#

Coding a biometric authentication flow from scratch is time-consuming and complicated, especially for a diverse user base across devices and platforms. Passkeys leverage existing built-in hardware infrastructure and abstract implementation details, making integration significantly faster. With approximately 90% of global devices already supporting passkeys, the infrastructure for widespread deployment is already in place.

What are the main risks of biometric authentication and how are they mitigated?#

The primary risks are spoofing (using photos, voice recordings or fingerprint replicas), usability degradation as biological traits change over time and privacy concerns around centralized data storage. Modern 3D face scanning used in Apple Face ID and Windows Hello eliminates many spoofing risks, and device-based biometrics avoids centralized database vulnerabilities. Using platform biometric technologies also reduces developer liability compared to storing biometric data in a proprietary system.