Native Apps: Passkeys vs. Local Biometrics

After biometrics on mobile phones became mainstream, many native apps started using features like Face ID or Touch ID (or the Android equivalent) to protect app access. This local biometric protection significantly improves user convenience by allowing quick and frictionless access. At first glance, passkeys and local biometrics might seem redundant because both involve verifying the user. But they serve fundamentally different purposes. This article will explore:

• Passkeys vs. Local Biometrics: How local biometrics and passkeys differ in their roles and functionality?
• Add Passkeys to Apps with Local Biometrics: Does it make sense to add passkeys to apps that already use biometrics? What are the benefits?

By the end, we will have a better understanding of when and how to leverage these solutions together to create a more secure, user-friendly, and seamless app experience. We’ll also outline practical scenarios where combining passkeys and local biometrics can enhance both security and convenience, ensuring that developers can make informed decisions to meet user needs effectively.

Local biometric authentication methods, such as Apple’s Face ID, Touch ID, or Android’s biometrics capabilities leverage unique physical traits (e.g., facial features or fingerprints) to verify a user’s identity. Unlike traditional PINs or passwords, which rely on something the user knows, biometrics rely on something inherent to the user. This shift eliminates the need to repeatedly type in a code, significantly reducing friction and making everyday app access both swift and secure.

Before biometrics gained mainstream traction on mobile phones, apps aiming to safeguard sensitive content often asked users to enter an additional PIN or password each time they were launched. While this approach increased security, it also introduced additional inconvenience, especially when the user had already been authenticated at the start of their session. The arrival of device-based facial recognition and fingerprint scanning technologies simplified this process. Instead of repeatedly keying in a code, a user could now unlock the app with a quick facial scan or a brief touch. If, for any reason, the biometric check fails or the user prefers not to enable it, a fallback PIN, passcode, or password remains available. This design ensures both convenience and accessibility without compromising on security.

It’s crucial to distinguish local biometric checks from full remote authentication events. Remote authentication occurs at the start of a new session verifying the user’s identity against the service’s backend systems using credentials like passwords or passkeys. This step establishes trust between the user and the service.

Local biometrics, in contrast, focus on re-verifying identity during an ongoing, authenticated session. Rather than asking the user to re-enter passwords or other credentials when they briefly leave the app or lock their phone, local biometrics confirm that the same authorized user is still in control of the device. This device-centric verification does not require an internet connection or interaction with remote servers, making it fast, reliable, and seamless in everyday use.

Biometric data is stored and processed securely within dedicated hardware security modules - like the Secure Enclave on iOS or the Trusted Execution Environment (TEE) on Android. These trusted modules are designed to keep sensitive biometric data safe from tampering, extraction, or transfer.

Because of this hardware-level anchoring, biometric verification cannot be easily shared across devices or services. Each device’s biometric templates remain unique to that particular unit, ensuring that if a user upgrades to a new phone, they must re-enroll their biometrics from scratch. While this adds a small onboarding step when switching devices, it safeguards against unauthorized access and prevents remote attacks that could exploit centrally stored biometric data. Moreover, local biometrics work without requiring an internet connection, making them reliable even when the device is offline.

Local biometrics streamline security by verifying that the person currently handling the device is indeed the rightful, already authenticated user without requiring repeated custom PIN or password entry in case the app has an important functionality like banking, insurance or other personal details.

They maintain convenience by working seamlessly and instantly on-device, operate offline, and rely on secure hardware enclaves to protect sensitive biometric data. While they cannot replace the need for initial remote authentication (such as a passkey or password) to establish user identity in the first place, they are very good at managing and protecting subsequent, ongoing sessions.

Their limitations such as lack of portability and the need for re-enrollment on new devices are trade-offs made for the sake of enhanced convenience and tight device-level security. Ultimately, local biometrics serve as a powerful, user-friendly method of ensuring continuous trust in an app session once that trust is initially established.

Passkeys change the nature of authentication by replacing shared secrets like passwords with asymmetric cryptographic credentials. Unlike local biometrics, which only verify an already authenticated user locally, passkeys serve as a primary method of identifying users to a remote service. This ensures a secure, phishing-resistant login experience even in a scenario where the user and device are initially unknown to the application’s backend.

Before passkeys, the common approach to establishing trust with a remote service involved passwords shared secrets known by both the user and the server. While passwords are simple to implement, they are vulnerable to threats like phishing, credential stuffing, and password reuse.

Passkeys address these challenges by using a pair of cryptographic keys: a private key securely stored on the user’s device and a corresponding public key registered with the service. When a login attempt occurs, the service sends a challenge that can only be solved by the user’s private key. This ensures that even if attackers intercept data or try to trick users into revealing credentials, they cannot gain unauthorized access.

Passkeys employ asymmetric cryptography:

• Private Key (Client-Side): Stored safely within the device’s secure enclave, inaccessible to other apps or even the operating system itself.
• Public Key (Server-Side): Registered with the application’s backend, but useless on its own without the private key. Since the user never sends the private key over the network and never has a “shared secret” to type, phishing attempts are largely rendered ineffective. Attackers cannot trick users into typing something they do not know, and intercepting the public key offers no advantage. This architecture, supported by standards like FIDO2 and WebAuthn, ensures that the entire authentication flow is based on provable cryptographic operations rather than user-entered credentials.

This is especially important for systems where in addition to native apps also websites are in use where phishing is a large problem. Passkeys created on a mobile device can be used via Cross-Device-Authentication also on websites on a desktop machine.

One of the core advantages of passkeys is their seamless portability across a user’s devices. Modern operating systems can synchronize passkeys via secure cloud storage (e.g., iCloud Keychain, Google Password Manager), enabling users to log in from multiple devices without re-registration or remembering passwords for the first installation of the app. Moreover, passkeys can also be used in scenarios were a second factor would be required to provide two-factor-like protection without introducing friction. This synergy allows for quick, secure logins no matter which device the user chooses, reinforcing an ecosystem where secure authentication is both universally accessible and easy to maintain.

Passkeys represent a powerful, phishing-resistant method of authenticating unknown users to remote services. By leveraging asymmetric cryptography and shifting away from shared secrets to device-resident private keys, they remove many of the weaknesses that plagued password-based systems. Passkeys combine robust security, global portability, and direct integration with hardware security components. As a result, they serve as a strong foundation for establishing user identity something that local biometrics alone cannot provide. In the context of native apps, passkeys are the critical first step in creating a secure session, after which local biometrics can be employed to maintain quick and convenient user access.

When it comes to authentication in native apps, passkeys and local biometrics play important but diffent roles. While they both improve user experience and security, they address fundamentally different problems:

• Passkeys authenticate unknown users to a remote service, often during the first login or when creating a new session.
• Local biometrics, such as Face ID or Touch ID, re-verify an already authenticated user locally, ensuring continuity and convenience for ongoing sessions.

Understanding these differences is vital for developers aiming to create robust authentication flows that are both secure and user-friendly.

To better understand the distinctions and complementary roles of passkeys and local biometrics, the table below compares their key characteristics across various dimensions, including purpose, use cases, security, and portability. This comparison highlights how these technologies address fundamentally different problems while working together to enhance both security and user convenience.

While the table highlights the core differences, it’s important to recognize that passkeys and local biometrics are not competing technologies - they’re complementary. Together, they provide a layered authentication experience:

1. Passkeys for Initial Authentication, Re-Login and MFA
   Passkeys are important in establishing trust between a user and a remote service. They provide phishing-resistant, cross-platform, and cross-device authentication by using asymmetric cryptography. This ensures that even if attackers intercept data, they cannot access user accounts. With seamless cloud synchronization (e.g., iCloud Keychain or Google Password Manager), passkeys enable users to log in effortlessly across devices, making them ideal for first-time sign-ins, re-installs, or multi-factor authentication (MFA) scenarios. They also serve as a bridge between mobile apps and websites, offering a consistent and secure experience across an ecosystem. For apps requiring heightened security, passkeys can replace traditional second-factor methods with a self-contained MFA solution.
2. Local Biometrics for Ongoing Verification:
   Once authenticated, local biometrics offer quick, secure, and frictionless access to apps by verifying that the same authorized user is operating the device. Unlike passkeys, local biometric checks are device-centric and offline, relying on secure hardware enclaves to store and process data. This ensures that sensitive information never leaves the device, adding a layer of security without requiring constant user input. By reducing the need to re-enter credentials, local biometrics enhance the user experience, particularly for apps that handle sensitive information like banking or healthcare. They protect ongoing sessions by verifying the device holder, ensuring convenience without compromising security.

In combining passkeys and local biometrics, developers can deliver a secure, seamless, and user-friendly authentication flow.

By combining passkeys and local biometrics, developers can create a robust authentication flow that:

• Improves Security: Passkeys protect against phishing, credential stuffing, and password theft, while local biometrics prevent unauthorized access to authenticated sessions.
• Enhances User Experience: Local biometrics eliminate the need to repeatedly enter passwords or passkeys, creating a frictionless experience after initial authentication. In case a re-authentication is needed because of timeouts or sign-outs reauthentication is as easy as unlocking the app.
• Simplifies Multi-Device Access: Passkeys enable cross-platform authentication, while local biometrics provide convenient device-level security. If passkeys are used on the web, adding them to the native app is an important additional step to close the gap and offer a full-service passkey experience for the user.

This synergy ensures that apps can provide both strong authentication and seamless convenience a winning combination for modern user expectations.

In order to gain a better understanding of how real-world examples and combinations work, we will examine two different implementations: one that leverages only passkeys and another that uses a combined approach.

The Kayak app demonstrates an implementation of passkeys for user authentication. Passkeys are seamlessly integrated into the login process, offering users the option to authenticate without needing to remember their email address or password. As shown in the authentication screen, users can directly select a passkey to log in. This approach significantly simplifies the user experience by reducing cognitive load and eliminating password-related friction.

Once authenticated via a passkey, the user gains unrestricted access to the app without requiring reauthentication. This design is particularly suitable for Kayak, a travel app that primarily manages booking history and itineraries, which are not considered highly sensitive or critical data.

Key Highlights of Kayak's Approach:

• Passkey Login on Authentication Screen: The app immediately offers passkey login, reducing steps and enhancing user convenience.
• No Local Biometric Protection Post-Login: Given that the app doesn't handle sensitive personal data, Kayak has chosen not to implement local biometric protections, like Face ID or fingerprint lock, for the logged-in state. This decision aligns with the app's data security needs while maintaining a frictionless experience for users.

This implementation demonstrates how passkeys can streamline the authentication process while eliminating the need for passwords, providing a frictionless experience for users. However, in scenarios where more sensitive or critical actions are performed within the app, additional layers of security, such as local biometrics, may be necessary. Let’s explore how GitHub leverages both passkeys and biometrics to ensure security without compromising usability.

GitHub balances the integration of passkeys for secure login with local biometrics to protect app content in the logged-in state. Passkeys are offered as a fast, phishing-resistant login option, which is particularly important given GitHub's multi-factor authentication (MFA) requirements. This eliminates the need for users to manage passwords or one-time passcodes, providing a seamless and secure login experience. But for the sake of this article we will not look at their passkey implementation.

GitHub's Additional Layer of Security with Local Biometrics:
Because GitHub also offers sensitive operations like merging pull requests, GitHub allows users to enable local biometric protection if they feel it is nessasary. In this example, Face ID is used to lock the app on iOS, ensuring only the device owner can access or execute the GitHub App. The app explicitly requests the necessary privileges from the operating system to activate biometrics and offers configurable intervals (e.g., immediate or after a defined timeout).

Key Highlights of GitHub's Approach:

• Passkey Login for MFA Compliance: GitHub leverages passkeys to streamline secure logins without compromising on multi-factor authentication standards.
• Biometric Lock for App Protection: By using local biometrics like Face ID, GitHub ensures that logged-in sessions cannot be abused or accessed by unauthorized individuals. This additional layer of security is crucial for apps handling sensitive user data or actions.

Together, these examples illustrate how passkeys and local biometrics can be tailored to the needs of different apps, balancing user convenience with appropriate security measures.

Below are four recommendations tailored to common scenarios where local biometrics and passkeys might be implemented. The recommendations are structured so that developers, product managers, and decision-makers can quickly identify which approach best fits their situation. A summary table follows, making it easy to map each recommendation to a given scenario:

1. For Regulated, Sensitive, or High-Value Data Apps: Passkeys + Local Biometrics
   If your app deals with critical, personal, regulated, or high-sensitivity data (e.g., financial, healthcare, governmental, personally identifiable information), implement local biometrics for secure, frictionless re-authentication. This ensures that once users are signed in, ongoing access to sensitive features is protected by on-device factors (Face ID, Touch ID, fingerprint scanning) without re-entering credentials. At the same time this is also a strong indication to implement passkey sand enforce the MFA-requirement across for device types. This is where Corbados Enterprise Passkey Suite can help you especially if your are in a large scale deployment and want to make sure that you can achieve a 100% passkey adoption.
2. Large-Scale Consumer App: Passkey Integration Across All Devices
   Even outside of sensitive areas a passkey implementation makes sense to avoid phishing and remove the password pain. When planning a passkey rollout, ensure it’s part of a holistic authentication strategy that spans all device types, including native apps, web interfaces, and other connected endpoints. Don’t treat passkeys as a one-off feature; instead, integrate them consistently across mobile, desktop, and web to provide a unified and user-friendly login experience. When passkeys are already part of your web authentication, it is imperative to extend this functionality to your native apps. This ensures a consistent, secure, and user-friendly login experience across all platforms, leveraging the strong security and convenience of passkeys everywhere your service is offered.
3. Greenfield or Standalone Apps:
   For new (greenfield) applications or standalone apps without legacy authentication baggage from web, consider starting with passkeys from the beginning. By doing so, you create a future-proof authentication scheme that eliminates password issues and lays the groundwork for frictionless and secure user journeys across all platforms. Take a look at our Corbado Complete solution.
4. Avoid Partial Implementations for Multi-Device Ecosystems:
   If your service spans multiple device types (e.g., mobile, web, and desktop), do not introduce passkeys in only one environment. Partial implementations reduce consistency and can confuse users. Instead, adopt passkeys uniformly to ensure a smooth, unified login experience everywhere. Rolling them out step by step or first on the largest device types and then in the native app is reasonable, but it should be done within a short time frame.

While the above recommendations cover a range of common scenarios, there are countless other situations where the choice of implementing local biometrics, passkeys, or both may vary. Every application has unique security, usability, and compliance needs, and it’s essential for developers, product managers, and business leaders to thoroughly assess these factors before settling on an approach. By carefully weighing your specific use cases, regulatory requirements, and user expectations, you can craft an authentication strategy that not only protects your users and their data but also delivers the seamless, user-friendly experience today’s customers have come to expect.

As we have seen, local biometrics and passkeys serve fundamentally different yet complementary roles in modern authentication strategies. Local biometrics simplify ongoing session verification by leveraging the user’s inherent traits for rapid, on-device checks, while passkeys establish a secure and phishing-resistant trust relationship with remote services. By thoughtfully combining these methods, developers can create a user experience that is both frictionless and highly secure, effectively meeting the needs of a diverse and demanding digital landscape. Coming back to the questions from the Introduction:

• Passkeys vs. Local Biometrics: How local biometrics and passkeys differ in their roles and functionality?
  Local biometrics provide convenient, device-centric re-verification for users already authenticated, ensuring that the rightful owner is continuously controlling the device. In contrast, passkeys replace shared secrets like passwords, enabling secure, initial remote authentication and easy cross-device portability, thereby eliminating phishing risks and offering a unified login experience across platforms and form factors.
• Add Passkeys to Apps with Local Biometrics: Does it make sense to add passkeys to apps that already use biometrics?
  Yes, it often makes sense. Biometrics alone do not establish initial user identity with remote services, whereas passkeys do. Incorporating passkeys alongside existing local biometrics can strengthen overall security while maintaining user convenience. Passkeys handle the critical first step of authentication and cross-device portability, while biometrics streamline subsequent access and ongoing session verification.

By recognizing the distinct yet mutually beneficial roles of passkeys and local biometrics, developers and decision-makers can implement a comprehensive authentication approach that balances security, convenience, and user satisfaction. In doing so, applications become more resilient against threats, easier to navigate, and more adaptable to evolving user and regulatory requirements ultimately delivering a seamless and trustworthy digital environment.