This article explains why passkeys and biometrics are reshaping authentication, where biometric security actually works, and why privacy-first design will decide who earns trust.
What this article covers
People keep saying passwords are dying and biometrics are taking over. That is only half right. The real shift is toward phishing-resistant, device-bound authentication — especially passkeys — while biometrics are increasingly used as the local unlock layer for those credentials, not as the credential itself. Apple, Google, and NIST all point in that direction: the cryptographic key does the real authentication, while a fingerprint, face scan, or PIN helps prove the right person is holding the right device.
Passwords are weakening. Passkeys are getting real.
Legacy passwords are still everywhere, and they are still a major attack path. Verizon says compromised credentials were an initial access vector in 22% of breaches reviewed in the 2025 DBIR. At the same time, passkeys are no longer a niche experiment: FIDO reported in 2025 that 74% of consumers are aware of passkeys and 69% have enabled them on at least one account, while Microsoft said more than 15 billion user accounts can now sign in with passkeys instead of passwords.
Google’s developer guidance is blunt about why this matters. Passkeys protect against phishing because they work only on their registered websites and apps, and developers store only a public key on the server instead of a reusable secret. Apple describes the same model: the server never learns the private key, and no shared secret is transmitted during sign-in. That is a major architectural break from the password era.
Biometrics are becoming the unlock, not the secret
This is the point many articles get wrong. The future of authentication is not “your face replaces your password” in a simple one-for-one swap. The better model is this: a biometric unlocks a device or a passkey, and the device proves possession of a cryptographic credential. Google explicitly says biometric material never leaves the user’s personal device in the passkey flow, and Apple says Touch ID or Face ID can authorize use of the passkey while the private key stays unknown to the server.
NIST’s guidance is even more direct. In the current SP 800-63-4 framework, a biometric characteristic does not constitute a secret and cannot be used as a single-factor authenticator. In earlier and still widely cited NIST guidance, biometrics are supported only as part of multi-factor authentication with a physical authenticator, and even unlocking a smartphone with a biometric does not automatically count as a separate authentication factor for a remote verifier. That matters because it kills the lazy myth that “face scan = secure authentication” on its own.
Biometric security is not one thing
The phrase biometric security hides two very different systems:
- Verification / authentication: “Are you the person you claim to be?”
- Identification: “Who are you in this crowd?”
That distinction is not academic. The European Commission’s guidance on the AI Act says biometric authentication and verification, such as unlocking a smartphone or checking a traveler against their own document in a one-to-one match, remain outside the biometric-specific restrictions because they do not pose the same fundamental-rights risk. By contrast, real-time remote biometric identification in public spaces for law enforcement is prohibited, subject only to narrow exceptions and prior authorization.
So the future of authentication is not the same thing as the future of biometric surveillance. Lumping them together makes the debate weaker and less accurate. One can improve account security. The other can reshape civil liberties.
Liveness detection matters, but it is not magic
As biometric systems spread, attackers adapt. That is why presentation attack detection — often called liveness detection — has moved from nice-to-have to baseline control in serious deployments. NIST says PAD can mitigate presentation attacks and says systems should demonstrate at least 90% resistance to relevant presentation attacks under ISO/IEC 30107-3 testing, while also noting that local biometric comparison is preferred over central comparison.
But liveness is not a magic wand. ENISA’s 2024 guidance says liveness controls can normally detect and block many photo- and model-based attempts, yet some attacks can still be harder to catch and may require human intervention. FIDO’s identity verification program now tests for accuracy, liveness including deepfake detection, and bias in remote face verification systems, which is a sign of where the market knows the real weaknesses are.
That is the real story: stronger biometrics are not just about better sensors. They are about anti-spoofing, anti-injection controls, bias testing, and fallback design. Without those layers, “AI-powered biometric security” is just marketing.
Privacy is now the main design test
Biometric convenience is obvious. The privacy problem is deeper. In the EU, biometric data processed solely to identify a person is treated as sensitive personal data and is subject to specific processing conditions. In the UK, the ICO’s biometric guidance says organizations must determine a lawful basis and a special category condition, and must assess risks including breaches, false accepts and rejects, discrimination, and systematic monitoring of public spaces.
Illinois goes even further on operational discipline. Its Biometric Information Privacy Act requires a public retention schedule, written notice, written release, and protection of biometric data at least as carefully as other sensitive information. It also gives aggrieved people a right of action. That is a sign of where the legal environment is headed: collect less, explain more, retain less, and be ready to defend every step.
The practical privacy lesson is simple. A badly designed biometric system is not risky because it is “advanced.” It is risky because biometric traits are personal, durable, and difficult to change once mishandled. That is exactly why NIST keeps repeating that biometrics are not secrets.
Centralized biometrics are the dangerous version
Not all biometric architectures carry the same risk. NIST says local biometric comparison is preferred because attacks at central verifiers can scale more easily. Google’s passkey documentation says biometric material never leaves the user’s personal device, which shows what the privacy-preserving model looks like in practice: local matching, device-held keys, and minimal server-side value for attackers.
That is the fork in the road for the future of authentication. One path keeps biometrics close to the device, uses them to activate strong cryptographic credentials, and limits what organizations ever collect. The other path builds large biometric stores, normalizes broader sharing, and turns every breach, misuse, or policy shift into a bigger problem than a password leak ever was.
What trustworthy biometric authentication should look like
The direction from standards bodies, platform vendors, and privacy regulators is clearer than the hype suggests:
- Use passkeys and other phishing-resistant credentials first. Let biometrics unlock the credential locally instead of acting like a shared secret.
- Keep biometric matching on the device whenever possible. Central comparison increases scale risk.
- Require strong PAD / liveness and independent testing. Deepfake resistance and spoof resistance need evidence, not claims.
- Treat bias and false matches as security issues, not PR issues. Regulators already do.
- Minimize retention and document the rules. If you store biometrics, explain why, for how long, and under what legal basis.
- Preserve fallback options. Not every user can or should authenticate biometrically every time. A resilient system needs alternatives.
The bottom line
The future of authentication is not a world where your face becomes your password. It is a world where cryptographic credentials, device security, biometrics, and privacy law collide. The strongest systems will use biometrics as a fast, local proof of user presence while keeping the real secrets in hardware-backed keys and keeping unnecessary biometric data off central servers.
That is the real split ahead. Done right, biometric authentication can reduce phishing, cut friction, and improve security at scale. Done badly, it can hardwire surveillance, bias, and permanent privacy risk into everyday life. The future is not just biometric. It is biometric, cryptographic, and political — and privacy will decide whether people trust it.