How Biometric Authentication Works and Where It Falls Short

Apple's Face ID Processes 30,000 Infrared Dots in Milliseconds — and Gets Fooled by Twins

When Apple introduced Face ID with the iPhone X in 2017, it claimed a 1-in-1,000,000 probability of a random person's face unlocking the device — compared to 1-in-50,000 for Touch ID fingerprint authentication. In practice, the system is fooled by identical twins and has a higher failure rate for children under 13. Biometric authentication represents a fundamental shift in identity verification: rather than something you know (password) or something you have (token), it uses something you are — a physical characteristic that, in theory, is unique to you. This uniqueness is both its greatest strength and its most profound limitation. A forgotten password is resettable. A compromised fingerprint is not.

How Biometric Systems Work: Template Matching

Every biometric system follows the same architecture. During enrollment, a sensor captures a biometric sample, which is processed by a feature extraction algorithm to produce a template — a mathematical representation of the distinctive features, not a stored image of the original. During authentication, a new sample is captured, features are extracted, and a matching algorithm compares the new features against the stored template, producing a similarity score. If the score exceeds a defined threshold, the match is accepted.

The threshold is a policy decision with security consequences. Lowering it reduces false rejections (legitimate users denied access) but increases false acceptances (imposters granted access). Raising it does the reverse. This tradeoff is quantified in two metrics that define biometric system performance: False Acceptance Rate (FAR) — the percentage of unauthorized users incorrectly authenticated — and False Rejection Rate (FRR) — the percentage of authorized users incorrectly rejected. The point at which FAR equals FRR is called the Equal Error Rate (EER); systems with lower EERs perform better.

Major Biometric Modalities Compared

Liveness Detection: The Core Challenge

Presentation attacks — submitting a fabricated biometric artifact instead of a live person — are the primary attack against biometric sensors. For fingerprints, gelatin or silicone replicas created from a latent print can spoof capacitive sensors. For face recognition, high-resolution photographs suffice against 2D cameras. Against 3D face recognition, researchers at Chaos Computer Club demonstrated in 2017 that a custom-printed mask could fool early versions of Face ID.

Liveness detection (Presentation Attack Detection, PAD) is the countermeasure. Techniques include:

• Challenge-response: Asking the user to blink, smile, or follow a moving target — verifies a live, responsive subject.
• Texture analysis: Distinguishing the micro-texture of real skin from printed or silicon surfaces using near-infrared or high-resolution visible light.
• 3D depth sensing: Structured light (Apple Face ID) or time-of-flight sensors verify that a real three-dimensional face is present, not a photo or flat mask.
• Blood flow detection: Remote photoplethysmography (rPPG) detects subtle color changes from blood flow in facial skin — absent in photographs or masks.
• AI-based spoofing detection: Convolutional neural networks trained to identify artifacts of synthetic or printed biometrics.

The Irreversibility Problem

Biometrics cannot be revoked or reissued. If your password is compromised, you change it. If your fingerprint template is stolen from a database, you cannot issue yourself a new fingerprint. This irreversibility has serious implications for large-scale biometric database breaches.

The 2019 breach of Suprema's Biostar 2 platform exposed approximately 27.8 million fingerprint records and facial recognition data. The breach demonstrated that storing biometric templates in centralized databases creates a uniquely severe risk: successful theft of the template enables ongoing biometric fraud against the same individuals indefinitely. Cryptographic countermeasures — storing templates in cancelable biometric form (transformed representations that can be revoked and re-enrolled) or using fuzzy commitment schemes that bind the template to a cryptographic key — address this theoretically, but deployment of these protections is not universal.

Algorithmic Bias and Unequal Performance

Facial recognition systems have demonstrated significant performance disparities across demographic groups. A 2019 NIST study (FRVT) found that many commercial facial recognition algorithms showed error rates 10–100 times higher for Black and East Asian faces compared to white faces, and higher error rates for women than men. These disparities trace to unrepresentative training datasets — systems trained predominantly on images of white men perform worst on underrepresented groups.

The consequences of algorithmic bias in deployed systems are documented and severe. Robert Williams, Nijeer Parks, and Michael Oliver — all Black men in the United States — were wrongly arrested between 2020 and 2021 based on incorrect facial recognition matches. The ACLU has documented at least six cases where facial recognition errors contributed to wrongful detentions. These cases have accelerated legislative restrictions on law enforcement use of facial recognition in cities including San Francisco, Boston, and Portland.

• NIST's Face Recognition Technology Evaluation (FRTE) provides independent vendor-neutral testing of facial recognition algorithm accuracy across demographics — a critical resource for procurement decisions.
• The ISO/IEC 30107 standard defines testing requirements for presentation attack detection, enabling independent evaluation of liveness detection capability.
• Multimodal biometrics — requiring two or more biometric factors — significantly reduce both false acceptance rates and single-point-of-failure vulnerabilities.