Face ID and fingerprint scanning are increasingly replacing passwords — but are they actually more secure? Understanding the strengths and weaknesses of biometric authentication is essential for Hong Kong users in 2026.
Biometric authentication uses unique physical or behavioural characteristics to verify identity. The most widely deployed consumer biometrics are fingerprint scanning (used on virtually all modern smartphones, many laptops, and some payment terminals) and facial recognition (Apple Face ID, Windows Hello, Android face unlock). Less common but increasingly available are iris/retina scanning, voice recognition, and gait recognition.
Critically, biometric systems do not store your fingerprint or face image. Instead, they create a mathematical representation (template) of the biometric that is stored locally on the device's secure enclave — a dedicated hardware chip that is isolated from the main processor and operating system. When you authenticate, the system creates a fresh template from the live scan and compares it to the stored template. The comparison happens locally; the template never leaves the device and is never sent to any server.
This local processing model is a key security feature. Unlike passwords, which can be stolen in transit if transmitted insecurely or extracted from a server database in a breach, biometric templates stored in secure hardware enclaves cannot be trivially stolen remotely. Apple's Secure Enclave and Android's Titan M2 chips are specifically designed to make template extraction practically infeasible even with physical device access.
Biometrics offer several genuine security and usability advantages over passwords. The most significant is phishing resistance: your fingerprint or face cannot be typed into a fake website. A phishing page can capture a password, but it cannot capture your Face ID authentication, which happens locally on the device and is tied to specific registered apps and websites. This makes biometric authentication highly resistant to the most common account compromise method in use today.
Usability is another area where biometrics dramatically outperform passwords. Unlocking a phone with a fingerprint in under a second versus typing an 8-character password creates very different friction levels — and security measures that are inconvenient are frequently bypassed or disabled. The ease of biometric authentication means users are far less likely to disable it compared to password requirements, resulting in better security compliance in practice even if the theoretical security properties are more nuanced.
Biometrics are also unique per individual and cannot be guessed, shared, or written on a sticky note. A password policy violation where an employee shares their system password with a colleague is a real scenario that organisations deal with regularly. Sharing biometric access is by definition impossible without physical presence — you cannot email someone your fingerprint.
Despite their advantages, biometrics have significant limitations. The most fundamental is that biometric characteristics cannot be changed if compromised. If your password is stolen, you change it in minutes. If your fingerprint template is somehow extracted and cloned, you cannot generate a new fingerprint. This irrevocability means that a biometric compromise, while currently very difficult, has permanent rather than temporary consequences — making the security of the storage system absolutely critical.
Legal and jurisdictional concerns are particularly relevant in Hong Kong. In many legal systems, including parts of the United States, courts have ruled that individuals can be compelled to unlock devices using biometrics (a fingerprint press or face presentation) but cannot be compelled to reveal a password — as compelled testimony. Hong Kong's legal position on this differs, but it is worth noting that biometric authentication provides less legal protection against compelled device access than a strong alphanumeric password in some contexts.
False acceptance rates — the probability that a different person's biometric matches your template — are non-zero for all biometric systems, though they are very small for well-implemented systems. Face recognition can sometimes be fooled by identical twins or by high-quality photographs (though 3D systems like Apple Face ID are specifically designed to resist this). Under-display fingerprint sensors are generally less accurate than dedicated physical sensors and can sometimes be fooled by fingerprint molds.
The current best practice is not to choose between biometrics and passwords but to use them together. For device unlock — smartphone, laptop, and tablet — enabling biometric unlock (Face ID, fingerprint) provides excellent daily usability while maintaining the password/PIN as a secure fallback for situations where biometrics cannot be used or should not be used. The device PIN or password should be strong enough to provide meaningful protection if the biometric is unavailable.
For app and website authentication, the emerging passkey standard (supported by Apple, Google, and Microsoft) uses the device's biometric as the user verification mechanism to release a cryptographic key — providing both the excellent usability of biometrics and the cryptographic security of public-key authentication. Passkeys are phishing-proof, not reusable across sites, and do not require server-side password storage. Where passkeys are available, use them — they represent the current gold standard in authentication security.
For high-security contexts — financial transactions, privileged administrative access, or situations involving legally sensitive information — consider treating biometrics as one factor in a multi-factor authentication scheme rather than a standalone authentication method. Financial apps in Hong Kong typically already implement this: Face ID or fingerprint confirms device presence and account ownership, but high-value transactions may additionally require a TOTP code or hardware token. This layered approach captures the usability benefits of biometrics while adding the security assurance of an additional factor.
