Your Password Can Be Changed. Your Fingerprint Cannot.

Unlocking your phone with your face or your fingerprint feels like the most natural thing in the world. It is fast, seamless, and removes the friction of remembering a PIN. The phone manufacturers have made it feel like an upgrade — more secure, more modern, more you.

It is more convenient. Whether it is more secure depends on something the marketing materials do not discuss: what happens to your biometric data, where it is stored, and what occurs when the system holding it is compromised.

Over 80 percent of smartphones now have fingerprint or facial recognition built in. Businesses use biometrics for workplace access, banking apps use them for authentication, airports use them for identity verification, and retailers are beginning to use them for payment. Biometric data is everywhere — collected, stored, and processed at a scale that was unimaginable a decade ago.

The question worth asking — and almost nobody does — is what you are actually handing over when you register your face or fingerprint, and what the consequences are if that data is ever exposed.

Every other form of security credential can be replaced if compromised. A password can be changed in minutes. A credit card can be cancelled and reissued. A PIN can be updated. The damage from a breach, while real, is recoverable.

Biometric data is different in a way that is not immediately obvious but becomes deeply significant when you think it through: you cannot get a new fingerprint. You cannot get a new face. You cannot update your iris scan. The biological characteristics that biometric systems use to identify you are fixed for life.

If a database containing your password is breached, the solution is to change your password. If a database containing your fingerprint template is breached, there is no equivalent solution. The data that was exposed is permanently associated with you. It cannot be revoked, reset, or replaced. The same fingerprint that unlocked your phone will still be your fingerprint decades from now — and if an attacker has a copy of it, that is a permanent liability.

When you set up Face ID on an iPhone or fingerprint recognition on an Android device, Apple and Google are at pains to explain that your biometric data is stored locally — on the device itself, in a secure enclave — and never transmitted to their servers. This is largely true for device-level authentication and represents a genuinely privacy-conscious design decision.

The problem is that device-level biometrics are only one part of the picture.

Biometric data is also collected and stored by employers for workplace access systems, by banks and financial institutions for identity verification, by airports and border agencies for travel, by retailers experimenting with payment systems, by sports venues and entertainment complexes for access control, and by an increasing number of apps that request facial recognition for authentication.

Many of these systems store biometric data on central servers managed by third parties. The security standards applied to that storage vary enormously. And unlike Apple or Google, these organizations are not consumer technology companies whose reputation depends on being seen to handle your data responsibly. They are banks, employers, stadiums, and retailers — organizations that may have limited experience securing the category of data they are now holding.

The volume of legal action around biometric data tells its own story about how widespread the collection has become and how poorly it is often managed.

Illinois was the first US state to pass comprehensive biometric privacy legislation — the Biometric Information Privacy Act, known as BIPA. It requires organizations to obtain explicit consent before collecting biometric data, to disclose how it will be stored and for how long, and to prohibit its sale. Violations carry significant financial penalties.

The litigation under BIPA has been substantial. In 2025, a federal court approved a settlement of approximately $51 million relating to a facial recognition company’s collection practices. A separate $47.5 million settlement was approved in September 2025 involving a technology company that processed facial recognition data from at least 150,000 individuals. In October 2025, an $8.75 million settlement was approved relating to an education platform that had collected face and voice models from approximately 660,000 students.

These are not edge cases. They represent a consistent pattern of organizations collecting biometric data without adequate consent, without adequate security, and without adequate understanding of the permanent implications of what they were holding.

The risks associated with biometric data are not static. They grow as the technology for exploiting it advances.

AI-generated deepfakes and real-time voice cloning have already been used to bypass facial recognition and voice authentication systems. Cybercriminals use AI tools to generate synthetic faces that fool biometric security — what is called a presentation attack or spoofing. The accuracy of these attacks has improved dramatically as the underlying AI technology has matured.

Facial recognition data, unlike fingerprint data, can be captured remotely and without your awareness or consent. Your face is visible in every photo you have ever posted online, every video you have appeared in, every CCTV camera you have walked past. Once that data is processed by a facial recognition system, it becomes a searchable, permanent identifier. The same tools that allow law enforcement to identify suspects from surveillance footage can be used by commercial entities and private actors for purposes that have nothing to do with public safety.

None of this means you should refuse to use biometric authentication altogether. It means you should be selective about where and how you use it.

Understand where your biometric data is stored. Device-level biometrics — Face ID, fingerprint readers that process locally — are meaningfully different from systems that store your data on a central server. Before enrolling in any biometric system, ask where the data will be stored and who will have access to it.

Use a strong PIN as a backup — not as a replacement. Biometric authentication on your device is convenient and for device-level use, reasonably secure. But ensure your backup PIN is strong and unique. In many jurisdictions, law enforcement cannot compel you to provide a PIN but can compel you to use your face or fingerprint to unlock a device. This legal distinction is worth understanding.

Be cautious about third-party apps requesting biometric access. Many apps request facial recognition or fingerprint access for authentication. Not all of them handle that data with the same care as your device’s operating system. Evaluate whether the convenience is worth the data sharing.

Opt out of optional biometric collection where possible. Workplace access systems, retailer loyalty programs, and venue entry systems sometimes offer non-biometric alternatives. Use them. The convenience of biometric entry is not worth the permanent exposure of biometric data to an organization whose security practices you cannot audit.

Convenience is the most effective privacy eroder ever invented. Biometric authentication is genuinely convenient — and that convenience has led millions of people to hand over permanent, irrevocable identifiers to organizations whose security they have no way of verifying. Knowing this does not mean opting out of the modern world. It means opting in with your eyes open.

Your fingerprint has been yours since before you were born. It will be yours long after any device you own today has been replaced. Treat it accordingly.