Why Biometric Authentication Is Quietly Replacing the Password Infrastructure We Built Over 30 Years
Last October, our security team at a mid-sized fintech in Austin was running a post-incident review after a credential stuffing attack hit our customer portal. Attackers had cycled through roughly 84,000 stolen username/password pairs over 11 days before our SIEM flagged the anomaly. We'd had MFA in place. Didn't matter enough. The session hijacking still got through on 217 accounts because users had reused passwords across breached sites, and our SMS-based second factor was being SIM-swapped at a slow, patient rate.
That review changed how I think about the entire authentication stack.
The Credential Stuffing Problem That Finally Made Biometrics Look Practical
Passwords have a structural flaw that no policy fixes: people reuse them, and databases get breached. Have I Been Pwned currently indexes over 12 billion compromised credentials. That number isn't slowing down. No matter how well you salt and hash on your end, you can't control what a third-party forum does with your users' recycled passwords.
Biometric authentication sidesteps this entirely. There's no shared secret stored on a server to steal. A fingerprint match happens locally on the device; what gets transmitted is a cryptographic assertion, not a biometric template. This is the core architectural difference that matters.
After the October incident, we piloted FIDO2 passkeys combined with on-device biometrics using Yubico's enterprise key management alongside Apple's platform authenticator on iOS 17. The results at the 90-day mark were stark: zero credential stuffing attempts succeeded, and account takeover attempts dropped 94% compared to the same period the previous year.
What Actually Changed in Biometric Hardware Over the Past Two Years
The liveness detection problem was real. Early fingerprint sensors could be fooled with a lifted print and a printed mold. Early face ID systems on cheaper Android hardware failed against a photograph. I used to believe that biometric authentication was fundamentally too spoofable for anything beyond low-stakes access, and I held that view until around mid-2023.
I was wrong.
The current generation of sensors is different in a measurable way. Under-display ultrasonic fingerprint readers like those in the Samsung Galaxy S24 series use 3D subsurface mapping that reads ridge depth, not just surface pattern. Apple's Face ID uses a structured-light dot projector pushing 30,000 infrared points to build a depth map. Qualcomm's Fingerprint SDK 3.0, released in early 2024, introduced blood flow detection as a liveness signal. These aren't incremental upgrades. They represent a different category of sensor.
Spoofing rates on enterprise-grade systems have dropped below 0.01% false acceptance in controlled testing environments. That's better than the average password policy enforces in practice.
How Passkeys and Biometrics Are Merging Into a Single Layer
Passkeys are worth understanding clearly because there's still a lot of confusion in the field about what they actually are. A passkey is a FIDO2 credential pair: a private key stored on your device, a public key stored on the server. The biometric unlocks the private key locally. The server never sees your face or your fingerprint, ever.
Here's what that means in practice:
- Phishing becomes structurally ineffective because the credential is domain-bound; a fake login page can't capture what it can't receive
- Replay attacks don't work because each authentication generates a unique signed challenge
- Credential database breaches expose nothing usable since there's no password hash to crack
- SIM swapping is irrelevant because there's no SMS factor to intercept
Google reported in May 2024 that over 400 million Google accounts had authenticated using passkeys at least once, with a significant portion using biometric unlock as the primary mechanism. Microsoft Entra ID now supports passkey authentication in public preview as of early 2025. The infrastructure is actually here.
Where This Still Gets Messy in Enterprise Deployments
I'm not going to pretend the rollout is clean. Device management is the friction point nobody talks about enough. If a user loses their phone and you haven't set up cross-device passkey sync through a credential manager like 1Password or iCloud Keychain, you're dealing with a lockout scenario that's harder to recover from than a password reset.
Account recovery for biometric-only systems requires thinking through fallback paths carefully. We built a tiered recovery process: device backup passkeys synced to a hardware YubiKey 5C NFC stored in a documented secure location, with a break-glass admin process requiring two-person authorization. It added three weeks to our deployment timeline, but it was the right call.
The honest opinion? Any organization still treating SMS-based MFA as an adequate second factor in 2025 is carrying more risk than they're acknowledging.
Biometrics won't solve every authentication problem, but the specific category of attack that dominated incident response for the last decade, credential stuffing and password reuse, is genuinely being closed off. That's not a small thing.