Debunking Myths Part 4: Why Device Biometrics Isn’t the Ultimate Security Solution

Biometric technology has transformed the way we authenticate identity, delivering both convenience and enhanced security. However, like any transformative technology, it has faced scrutiny and generates concern —particularly around the issue of bias, legality, privacy, covert usage and the risks associated with AI. While the concerns are valid, they are often misunderstood or even exaggerated.?

This blog is part of a five-part series dedicated to unpacking and debunking common myths surrounding biometrics, offering clarity on where the challenges lie and how the industry has been addressing them.

This is the fourth installment, focusing on device biometrics.

See the other posts in this series:

Bias

Legal Frameworks

Template Security

Universality

Myth #1: Device Biometrics Confer Identity

One of the biggest misconceptions about device-based biometrics, like FaceID or fingerprint authentication, is that they confirm the identity of the person using the device. In reality, these systems only verify that the biometric matches the template stored on the device—they don’t guarantee who is holding it. This creates vulnerabilities, especially for enterprises and institutions managing sensitive data.

Take banking as an example: account origination (where a person’s identity is initially verified) is often a separate process from subsequent digital banking logins. Once an account is created, attackers can exploit this disconnect through social engineering—convincing users or support staff to grant them access—and then log in from any device. The biometric used to unlock the device no longer matters because the attacker bypasses it entirely.

Additionally, shared devices compound the problem. In families, multiple members often share a single device like a tablet or computer, and in workplaces, shared terminals are common. When device-based biometrics are the primary method of authentication, they provide no way to distinguish legitimate users on shared systems. This can result in unauthorized access by someone who is allowed to use the device but not specific accounts or resources.

Myth #2: Biometric Data Is Safe on the Device

A common argument for device-based biometrics like FaceID or fingerprint authentication is that the biometric templates are stored locally in a “secure enclave,” supposedly protecting them from theft or tampering. While this approach avoids the risks of centralized data breaches, it doesn’t mean the data is invulnerable. In reality, there is evidence that on-device biometrics can be tampered with or compromised in several ways and the more that biometrics will be used as a method for passwordless authentication, the more likely it is that attackers will pounce. Here are a few examples of known exploits:

• In 2017, a team of five scientists from the Graz University of Technology showed how it is possible to leak data from SGX enclaves, a secure environment created by Intel CPUs for storing sensitive information for each process, such as encryption keys, passwords, etc. The group created malware that would be stored in the enclaves and essentially attack its host. And because it is running in the secure enclave, the malware would be invisible to any anti-virus or malware detection system. Since the exposure, various countermeasures were made available, but this will not deter attackers from continuing this method
• In 2020, a security researcher in China revealed an issue with Apple's Secure Enclave Processor whereby taking control of the shared memory processor function, an attacker could acquire data that would normally be kept within the Secure Enclave. It turns out that this exploit requires physical possession of the device so the risk is not widespread, but in 2017, the decryption key for the Secure Enclave in the iPhone 5s was revealed showing that these risks are once again, persistent.
• A notable example of potential problems with Android was exposed in early 2024 when Google issued a patch addressing 46 vulnerabilities, including in the Trusted Execution Environment (TEE), where biometric authentication data is processed. One vulnerability in particular, allowed attackers to execute remote code in the system's context without requiring additional privileges. This vulnerability would have potentially enabled malicious actors to manipulate biometric processes, access stored data, or compromise the security of biometric authentication on affected devices.

Myth #3: Device Biometrics Provide MFA

Another common misconception is that device-based biometrics enhance security by serving as part of a multi-factor authentication (MFA) process. However, biometrics on a device in reality represent a single factor, replacing rather than complementing other methods of authentication. True MFA requires at least two independent factors: something you know (e.g., a password), something you have (e.g., a device or token), and something you are (e.g., a biometric). When device biometrics are used for authentication, they act as a substitute for a PIN or password, not an additional layer of security. This substitution creates an illusion of enhanced security while retaining the same vulnerabilities as single-factor authentication.

The Takeaway: Convenience Over True Security

Digging into on-device biometric frameworks and use cases show that their primary purpose is convenience rather than robust security. While storing data locally avoids some risks, it does not eliminate vulnerabilities. Attackers continually innovate, and as they develop more sophisticated methods, reliance on on-device biometrics as a standalone security measure becomes increasingly risky.

To truly protect biometric data and ensure enterprise security, we must move beyond device-based solutions. Privacy-enhancing technologies that fragment and encrypt biometric data—ensuring it cannot be reconstructed or tampered with—offer a more secure path forward. Only by addressing these limitations can we shift from prioritizing convenience to delivering genuine security.

To learn more about Anonybit’s privacy-enhancing solution, click here.