Fingerprints, face or eye scans, and even the way you walk can be used to identify you nowadays. These unique traits are called biometrics, and are used for everything from unlocking your phone to passing through airports.
But while they make things like authentication more secure and convenient, or speed up identity checks in daily life, storing biometric data comes with its own set of risks.
Below, we’ll cover the basics of how biometrics work, their uses across various industries, and how they’re collected and stored. We’ll also explain how they can be hacked or leaked, and what you can do to keep your data secure.
What are biometrics and what are they used for?
Biometrics are unique physical or behavioral traits that identify individuals, such as fingerprints, facial structure, iris patterns, voice, or even walking style.
Organizations use biometrics for security, access control, and convenience. Phones, laptops, workplaces, airports, and border control rely on them to unlock devices, log attendance, authenticate users, or confirm identities, reducing the need for passwords while adding a layer of protection against unauthorized access.
How is biometric data collected?
Governments, workplaces, social media, tech companies, healthcare organizations—everyone wants a piece of the proverbial pie when it comes to biometrics. Here’s how and when they collect it:
- During initial device setup: Phones, tablets, and computers may prompt users to register fingerprints or facial features for fast, secure access.
- While using apps and devices with built-in biometric features: Whether it’s Alexa and Siri listening to your conversations, or social media apps like Tiktok gathering “faceprints and voiceprints” for hypertargeted ads and demographic tracking.
- When using DNA testing kits: Services like Ancestry and 23andMe collect and analyze your genetic material to provide ancestry and health insights, among others.
- For biometric access at work: Fingerprint, retinal, or face scans are commonly used to enter offices, labs, and other restricted areas.
- Through immigration control: Authorities often scan passports, take photos, and record fingerprints to confirm travelers’ identities and maintain border security.
Related: Biometric data collection by country
How are biometrics stored?
Biometrics can be stored locally on your device, on specialized company servers, or a mix of both. Each storage method has its own advantages:
- Local storage: Pretty straightforward. The data stays on your device, like when you set up a fingerprint or face unlock on your phone. Since it never leaves your device, there’s no risk of it being intercepted.
- Centralized servers: In this case, the data is kept on secure servers, sometimes in the cloud. This makes it easier to use the same biometric across multiple services or devices, but it also means trusting the company to protect it.
- Hybrid storage: Instead of storing everything in one place, the data is divided between your device and external servers. The idea is to make it harder for a single breach to put all your information at risk, while still keeping access fast and convenient.
Types of biometrics
Biometrics go beyond just fingerprints, face/eye scans, or voice recognition. They can track how you act, move, or even interact with devices. As such, they can be grouped as either physical or behavioral biometrics.
Physical biometrics
- Fingerprints, palm prints, as well as the size and shape of the fingers
- Retinal and iris scans, along with the scleral vein arrangement
- Facial structure (including ear shape)
- Heartbeat patterns
- DNA (genetic material, usually collected from hair or saliva)
Behavioral biometrics
- Voice and speaking style
- Handwriting
- Typing patterns
- Walking or running style (gait)
How does biometric authentication work?
Authentication systems first record and convert biometrics into a machine-readable format. This data is then secured using strong encryption, making it basically unreadable to outsiders without the correct decryption key.
One example of this process is when you first set up fingerprint unlock on your smartphone. The sensor scans your finger, maps your fingerprint into a digital pattern, and encrypts it. When you try to unlock the phone, the authenticator performs another scan and grants access if it recognizes your fingerprint.
What are the benefits of biometrics?
Biometric technology offers several advantages, such as:
- Safer than passwords: Biometrics can’t be “guessed” like passwords. The unique nature of biometric data keeps your devices and logins more secure.
- Streamlined experience: Keeping track of long, unique passwords for each of your accounts can be a pain (unless you use a reliable password manager).
- High flexibility: Biometric data plays a role in both daily services and high-security fields. For instance, banks and tech companies use it for secure account and device access, hospitals for patient identification, and airports for border control.
Are biometrics safe? What are the risks?
While they may be more secure, convenient, and versatile than passwords, biometrics aren’t completely safe. Here are some risks you can expect.
Can biometrics be hacked?
Despite being unique to every individual and often seen as unbreakable, biometrics are not immune to attacks. Modern tools and techniques can exploit weaknesses in how this data is captured, stored, or transmitted. Some of the ways biometrics can be hacked include:
- Skimming: Attackers place small devices called skimmers on fingerprint scanners or ATMs to capture users’ biometric data, then use it to create fake fingerprints and access accounts or devices.
- Spoofing: Hackers may use fingerprint or iris molds and photos which mimic the real trait closely enough to trick weak security systems.
- Replay attacks: A type of man-in-the-middle attack. Cybercriminals can record fingerprint scans or voice samples and feed that data back into the system, gaining access as if the original user were present.
- AI-driven biometric hacking: In 2018, researchers used AI to create “DeepMasterPrints”, by generating and refining thousands of synthetic fingerprints. These fakes were realistic enough to fool scanners and unlock multiple devices without the real user’s print.
Privacy risks of biometrics
Much like emails, passwords, and other sensitive info, biometrics can be:
- Exposed in a data breach
- Stolen through social engineering tactics
- Sold to shady data brokers
- Leaked by rogue employees or shared with third parties without strong protections
Couple that with the deeply personal nature of biometric data, and it’s understandable that people are wary of how companies and governments collect, store, and use it.
One look at the public reaction to the UK Online Safety Act—and similar legislation in the EU, the US, and elsewhere—should tell you all you need to know. NordVPN purchases spiked 1,000% after the law passed, while Proton VPN reported a 1,800% increase in downloads thanks to its free plan.
People simply aren’t comfortable sharing biometrics with every online service, and choose VPNs to bypass the Twitter (X) age restriction or watch porn without age verification in the UK and various states in the US.
How to protect your biometrics
No security measure is bullet proof, but you can take further steps to protect your data. Here’s how you can minimize the privacy risks of biometrics:
- Don’t share biometrics unless necessary: The fewer companies that have your data, the less likely it’ll be leaked as part of a data breach or otherwise misused.
- Enable multi-factor authentication (MFA): White biometrics can be safer than passwords; an extra layer of security never hurt anyone. Use an authenticator app for all your logins, and keep hackers at bay even if they skim your fingerprints.
- Encrypt biometric data with a VPN: VPNs use complex algorithms to encrypt any data you send over the internet, including biometrics. Especially useful at your local coffee shop or other free hotspots, as public Wi-Fi is rife with hacking activity.
Best practices for securing biometrics as a business
Protecting biometric data is critical for any business that collects or uses it. Unlike passwords, fingerprints or facial scans can’t be reset if stolen, so companies need to treat them with extra care. Read on for some practical ways to keep this info safe:
- Assign roles: Have capable managers in charge of biometric security.
- Set rules: Establish policies for storing and handling biometric data.
- Train staff: Educate employees on proper ways to manage and protect biometric records.
- Control access: Limit who can reach the data and define how it can be used.
- Inspect regularly: Perform regular risk assessments to test for security gaps.
- Hire experts: Bring in cybersecurity specialists for audits and system reviews.
What are biometrics? FAQs
What is an example of biometrics?
An example of biometrics is fingerprint recognition, where unique patterns in your fingertip verify your identity. Other common types include face scans, iris recognition, and voice authentication. These methods use personal traits to confirm who you are.
What are biometrics on my phone?
Biometrics on your phone are security features like fingerprint unlock, facial recognition, or sometimes iris scanning. They replace the need for passwords or PINs, making it quicker to unlock your device and safer by tying access to your unique physical traits.
What are biometrics for immigration?
Biometrics for immigration include fingerprints, facial images, and sometimes iris scans collected by agencies like the USCIS. These identifiers confirm identity, check criminal history, and prevent identity fraud, which makes the immigration process more secure and traceable.
How do I turn off biometrics on my phone?
To turn off biometrics on your phone, go to the security or settings menu and disable features like fingerprint unlock or facial recognition. The exact steps vary by brand, but once disabled, you’ll use a PIN, password, or pattern for authentication.