How Do Face ID and Fingerprint Sensors Recognize You? Biometrics and Security
You pick up your phone, glance at the screen, and it unlocks. You tap a payment button, and one fingerprint finishes the job. Behind this motion you repeat dozens of times a day, your phone is making a judgment every single time: is this person really the owner? And once you stop to think about it, questions pile up. Couldn’t someone unlock it with a photo of my face? Where is my fingerprint actually stored — is it being uploaded to some company server? In this post, we will walk through how biometric authentication recognizes you, and why biometric data has to be handled very differently from a password. No code involved.
A fundamentally different way of deciding than a password #
Checking a password is simple. The string you type must match the stored one down to the last character. It is an exact match or it is not — one of two outcomes.
Biometric authentication cannot work that way. Your face today is subtly different from your face yesterday. The lighting changes, the angle changes, glasses come on and off, stubble grows. Fingerprints, too — where you place your finger and how hard you press varies every time. The exact same input simply never arrives twice.
So instead of asking “does it match exactly,” biometrics asks is it similar enough. The system compares the incoming input against what you enrolled, computes a similarity score, and accepts you as the owner if the score clears a set threshold. Most of the strengths and weaknesses of biometric authentication trace back to this starting point — judging by similarity.
What happens at enrollment: a mathematical summary, not a photo #
When you set up Face ID or a fingerprint, the phone has you turn your head around and press your finger several times. It is tempting to assume the phone is stacking up photos of your face or images of your fingerprint, but that is not what happens.
The phone extracts only the distinctive features and converts them into an array of numbers. For a fingerprint, that means the relative layout of the points where ridges split and end. For a face, it means geometric features like the distances and contours between your eyes, nose, and mouth. This bundle of numbers is called a mathematical template. By analogy, it is less like keeping a photo of your face and more like jotting down a list of measurements — “distance between the eyebrows: this much, height of the nose: that much.”
One property matters a great deal here. The conversion goes in one direction only. A template can be made from your face, but the design ensures the template cannot be reversed back into a picture of your face. Even if a template somehow leaked, that would not be the same as your face or fingerprint image leaking.
Where does that template live? A vault inside the device #
So where is the template stored? The answer is inside the phone — and not in ordinary storage, but inside a dedicated security chip. Apple calls this area the Secure Enclave, and Android devices have a secure area that plays the same role. It is a small vault walled off from the main operating system, built so that even if the phone is hacked, getting straight into this area is hard.
What matters even more is that this template never leaves the device. It is not sent to Apple’s or Google’s servers, and it is not included in backups. When a banking app uses fingerprint authentication, the app never receives your fingerprint data. The app asks the operating system to “please verify the owner,” the security chip makes the call, and the app gets back only a verdict: match or no match. This is the answer to the worry “what if my biometric data leaks.” For your phone’s biometrics, there is no central server to leak from in the first place.
Why a single photo doesn’t get through #
Face recognition sounds like something a photo should fool, but modern phone face recognition does not look at flat images. Face ID projects tens of thousands of infrared dots onto your face and reads how those dots bend to build a 3D map of your face. A photo, no matter how sharp, is flat — it carries no depth information, and it gets filtered out right at this stage.
On top of that comes liveness detection: a check that whatever is in front of the camera is a living person, using signals like whether the eyes are open and looking at the screen. This is why, with default settings, holding a phone up to a sleeping person’s face will not unlock it. Fingerprints work the same way. The sensor does not merely look at the pattern — capacitive and ultrasonic sensors read the actual 3D structure of living skin, so a printout of a fingerprint does not get through.
False accepts, false rejects, and twins #
Any system that judges “similar enough” carries an unavoidable trade-off. Set the threshold strictly, and the odds of a stranger getting through (a false accept) shrink — but the odds of the rightful owner being turned away (a false reject) grow. The times recognition fails when you are wearing a mask or your hands are wet — those are false rejects. Loosen the threshold and the experience gets smoother, but the risk of a look-alike getting through goes up.
By Apple’s published figures, the chance of a random stranger getting through Face ID is roughly 1 in 1,000,000, and for the fingerprint-based Touch ID, roughly 1 in 50,000. But those odds assume a “random stranger” — Apple itself warns that the probability rises sharply for identical twins or young siblings who look alike. The recurring stories of a twin unlocking a sibling’s phone with their face are less a defect in the system than an inherent limit of judging by similarity.
That is why biometrics never stands alone. After a few failed attempts, the phone always falls back to the passcode, and right after a reboot it demands the passcode first, with no biometric option. Structurally, the password is still the safety net at the bottom, and biometrics is a fast gate built on top of it.
You can change a password — you can’t change a fingerprint #
Biometric data has one property that sets it decisively apart from passwords. If a password leaks, you change it and move on. But you have exactly ten fingerprints for life, and exactly one face. Once it leaks, there is no reissuing it.
This property is why “where it is stored” sits at the heart of biometric design. Phones keeping templates from ever leaving the device is not a courtesy — it is the consequence of a principle: information that cannot be changed should never be pooled in the first place. Conversely, if some service collects biometric data on a central server, a single breach of that server becomes permanent damage for its users. That is why, when a new service asks to enroll your face or fingerprint, it is worth asking one question: does this data stay on my device, or does it go to a server?
Password managers, and on to passkeys #
Biometric authentication is less a technology that eliminates passwords than one that lowers the final hurdle of the password system. The classic example is unlocking a password manager’s vault with one fingerprint instead of typing the master password. And passkeys, now spreading quickly, push this combination one step further. The security chip creates and holds a different cryptographic key for each site, and all you do is unlock that chip with your face or fingerprint — login done. The direction is a world with no passwords to memorize at all, and the gate guarding its entrance is exactly the biometric authentication we covered in this post.
Wrapping up #
Let’s tie it all together. Biometric authentication is a system that judges sufficient similarity, not exact matches. Your face and fingerprint are converted into irreversible mathematical templates — not images — that stay only in a security chip inside your device. Photos get filtered out by depth mapping and liveness detection, and because of the trade-off between false accepts and false rejects, the password always stands behind it as the safety net. And because biometric data is the one thing you cannot change, a design that never lets it leave the device matters above all else. The next time your phone opens with a glance, remember what happened in that brief moment: an infrared 3D map, and a verdict made inside a security chip.