What “biometric auth” actually means in 2026

The phrase “biometric authentication” is doing a lot of work. For most SMBs in 2026, it covers four very different technologies: passkeys (which are not really biometric but get talked about that way), faceprint, fingerprint, and behavioural biometrics. They are not interchangeable. They have different security properties, different failure modes, and very different legal exposure.

The most important distinction is between biometrics that unlock a local device key (passkeys, Touch ID, Windows Hello) and biometrics that send a faceprint or template to a server (some standalone face-auth products, building access systems, retail customer recognition). The first one is a strong security primitive and a low legal risk. The second one is a serious data liability with high legal exposure under GDPR and state-level US laws.

Most SMBs who think they want biometric auth want the first one. Almost nobody actually needs the second one, and many of the ones who have it deployed got there by accident.

TL;DR

“Biometric auth” in 2026 is mostly passkeys plus a faceprint sensor that unlocks a local device key. That is a strong security primitive. Server-side faceprint is a different beast, with serious GDPR Article 9 and BIPA exposure. The recommended SMB stack is passkeys as primary, hardware MFA as backup, faceprint as a convenience layer on vetted devices only. Faceprint leaks are not patchable. You can rotate a password. You cannot rotate a face.

Faceprint: how it works, where it is deployed

Faceprint authentication captures a face image, extracts geometric features (the relative positions of eyes, nose, jaw, and a few hundred other landmarks), and compares the resulting template against a stored reference. The match-or-no-match decision happens against either a local template (in the case of Apple Face ID, Windows Hello) or a server-side template (in the case of standalone face-auth products and most building access systems).

The local-template version is well-understood. Apple Face ID uses a structured-light infrared sensor and a Secure Enclave that stores the template in tamper-resistant hardware. Windows Hello on a properly-certified device uses similar primitives. The template never leaves the device. The auth signal that does leave is the same kind of cryptographic challenge-response that a passkey would produce. This is the version we recommend for almost all SMB use cases.

The server-side version is where things get harder. A faceprint template stored on a server is a piece of personal data that has all the properties of a password except the part where you can change it. Treat it accordingly.

~96%
accuracy of well-tuned modern faceprint systems in good lighting (NIST FRVT 2024 leaderboard).
~5×
higher false-match rate on cheap consumer sensors compared to certified enterprise hardware.
$20m+
2022 Clearview AI settlement under Illinois BIPA. Faceprint leaks scale fines per-record fast.

Where face-auth fails

The marketing on face authentication has been kinder to it than the data supports. The real failure modes are worth naming.

  1. Cheap sensors still fall for printed photos and screens

    A 2D camera with no depth sensing can be defeated by a high-resolution print of the target face or a high-resolution screen displaying their image. The NIST FRVT public scorecards show which sensors fail this test and which do not. The good ones cost meaningfully more than the bad ones.

  2. Siblings, twins, and similar-looking individuals match more often than reported

    The marketing rate of “one in a million false matches” is the false-match rate against the general population. The rate against a sibling or close family member is materially higher. If your threat model includes insider attacks or close-relationship adversaries, this matters.

  3. Deepfake video is a real attack vector in 2026

    Liveness detection (the “blink, turn your head” step) is being beaten by deepfake video generation for the easier products on the market. The certified-good products still hold up. The cheap ones do not.

  4. Bias on demographic subgroups remains measurable

    The NIST 2019 demographic bias study documented higher false-match rates for some demographic groups on many algorithms. Newer systems have improved but the gap has not closed. Deploying face-auth as the sole factor on a customer-facing application has product fairness risk, not just security risk.

This is where most SMBs trip. The technology team chose face-auth for security reasons; the legal team finds out about it six months later, when the auditor asks the question that nobody had answered.

GDPR Article 9 classifies biometric data used for unique identification as a special category of personal data. Processing is prohibited unless one of nine specific bases applies, almost all of which require explicit consent and a documented impact assessment. The fines for getting this wrong are 4% of global annual revenue or €20m, whichever is higher.

BIPA (Illinois Biometric Information Privacy Act) is the most consequential US state law in this space. It requires written consent before capturing biometric data, a published retention and destruction policy, and a private right of action for individuals to sue. Statutory damages run $1,000 per negligent violation and $5,000 per intentional violation, per individual. Class actions have produced settlements in the $20m to $650m range. Texas CUBI and Washington equivalents are less aggressive but still serious. The legal frame we use here is similar to the threat-modelling discipline we wrote about in cybersecurity product development for AI platforms.

Common SMB mistake

“We are not in Illinois, so BIPA does not apply.” BIPA applies based on where the affected individual is, not where the company is. If your customers or employees include anyone in Illinois, BIPA applies. Same logic for GDPR and EU residents. Check before you deploy, not after.

The recommended SMB stack

For most small companies in 2026, the right authentication stack does not involve standalone faceprint at all. It looks like this.

The Levievs recommended SMB auth stack

Primary controls, in order

  • Passkeys as the primary authenticator for every service that supports them. The FIDO Alliance resources cover deployment. Passkeys are phishing-resistant, unlock locally with whatever biometric the device supports, and produce a strong cryptographic auth signal without any biometric data leaving the device.
  • Hardware MFA as the backup for high-risk accounts (admin, payments, code). YubiKey, Google Titan, or equivalent. The backup matters more than the primary on the day the primary fails.
  • Phishing-resistant policy enforcement through your identity provider. Conditional access based on device posture, not just username and password.
  • Faceprint only as a device-local convenience on certified hardware (Apple Face ID, Windows Hello on properly-certified devices). Server-side faceprint is almost never the right answer for SMB scale.
  • Behavioural biometrics as a fraud-detection signal for customer-facing applications, not as an auth factor. Treat the score as input to a risk decision, not as a yes/no on access.

This is also what we deploy on our own infrastructure. The NIST 800-63B digital identity guidelines back up most of these choices, and the SMB checklist we wrote earlier (SMB cybersecurity checklist for 2026) covers the operational side in more detail.

Real incident: a $20m faceprint settlement

In 2022, Clearview AI settled an ACLU-led class action under BIPA for over $20 million plus permanent operational restrictions. The case is worth reading because the failures it documented are the failures we still see in SMB face-auth deployments: faceprint data captured without consent, retained without a clear destruction schedule, used for purposes not disclosed to the affected individuals, and sold or shared without the legal basis required by state law.

The lesson is not “do not use faceprint.” It is “if you use server-side faceprint, the legal and operational requirements are real, the fines scale per affected individual, and the technology has to be deployed inside a written process that survives an audit.” Most SMBs do not need to be in that business. The smaller subset who do need to budget for the legal infrastructure as a first-class cost, not an afterthought.

You can rotate a password. You cannot rotate a face. The recovery story matters as much as the auth story.

Vadim Leviev · Levievs

Reviewing your auth stack?

Get a one-day biometric and auth review.

We will look at your current setup, your legal exposure, and recommend the smallest changes that move the most risk. Fixed price, no upsell.

Book the review →

Auth choices on customer-facing applications also intersect with content and identity decisions on the AI-platform side. We covered the overlap in our note on human-centred moderation at scale, and the broader cyber-product practice runs through cybersecurity product development and AI product consulting.

Frequently asked questions

Is Face ID a security risk for our company laptops?

Apple Face ID on a properly-managed corporate laptop is a strong security primitive. The faceprint template stays in the Secure Enclave on the device, never leaves, and is used to unlock a local key that signs the auth challenge. Combined with a passkey or properly-enforced MFA, this is a stronger setup than passwords plus most TOTP apps. The risk to manage is device theft, which is what MDM and remote wipe address.

What about Touch ID and fingerprint?

Same architectural model as Face ID. The fingerprint template stays on the device in tamper-resistant hardware and never leaves. It unlocks a local key that signs the auth challenge. The technology is mature, the deployment is well-understood, and the legal exposure is minimal because no biometric data is transmitted to a server.

Do we need to do a privacy impact assessment for passkeys?

Most teams do not, because passkeys do not transmit biometric data. The cryptographic key on the device is what is verified; the biometric is just a local unlock signal. Verify with your privacy lawyer for your specific jurisdiction, but the standard reading under GDPR and BIPA is that passkeys do not trigger the biometric data rules because no biometric data is processed on the server side.

What about building access systems with face-auth?

These almost always store templates server-side and therefore do trigger the biometric data rules. If you deploy one, you need written employee consent (or alternative non-biometric entry methods), a documented retention and destruction schedule, vendor due diligence on where templates are stored and for how long, and a real incident response plan if templates leak. Many SMBs find that a badge-and-PIN system is materially cheaper after the legal infrastructure is priced in.

What if our customers use faceprint and we just integrate their API?

Read the vendor contract carefully. You become a controller or processor of biometric data through the integration, and the responsibilities transfer with the data. Make sure the vendor has a written disclosure policy, a BIPA-compliant consent flow, and a clear answer to “where is the template stored, for how long, and what happens if you go out of business.”