Avoid These Biometric Authentication Mistakes

Build robust biometric authentication that provides positive user experiences while maintaining privacy and data protection.


Biometric authentication is becoming a standard for mobile apps with user-sensitive data. Surprising? No! With support for various biometric methods, such as fingerprint, facial recognition, or iris scans, developers can cater to users’ preferences, offering more flexibility and accessibility. Biometric features are currently difficult to forge or replicate, making biometric authentication a sure way to enhance security in mobile apps.

Note: While the tips and thoughts below can be universally applied to most mobile developers, I’m usually involved in Android development, so many of the examples below will reflect that.

Here are some common mistakes engineers make when adding this feature and tips to help you avoid them.

System dialog requesting biometric authentication from the Android Developers’ documentation on Biometric Authentication.

1They Rely Solely on Biometric Authentication.

Biometric authentication can have limitations and is not foolproof. Offering only one authentication method can inconvenience some users. Combining biometrics with additional factors enhances security and flexibility.

💡 Tip: Have alternatives for verification readily available.
– Implement multi-factor authentication (MFA) by combining biometrics with other authentication methods (e.g., PIN, password). For example: in a banking app, say you offer users the option to use a fingerprint alongside a PIN as part of a two-factor authentication (2FA) system. You can give users the choice to use both or either method for added security.
– Use a cryptographic key derivation function for MFA to prevent brute-force attacks.

2They Ignore Biometric Changes.

Biometric data can change over time due to various factors like injuries, aging, or even temporary moves like wearing glasses and eye covers. Neglecting to handle biometric changes can lead to authentication failures and user frustration. Regularly updating biometric templates helps maintain accuracy and security. For instance: In an app using fingerprint authentication, if a user’s fingerprint data becomes less accurate due to an injury on their thumb, the app could prompt the user to verify their identity another way in order to re-enroll their fingerprints to ensure precise authentication.

💡 Tip: Implement a mechanism to prompt users to re-enroll or update their biometric data periodically. For Android apps, you can use the BiometricManager API to check for biometric changes and guide users through the re-enrollment process.

3They don’t check for Biometric Sensor Availability.

Failing to check for biometric sensor availability can result in app crashes on devices without the necessary hardware. In Android, the BiometricManager API allows you to check whether the device supports biometric authentication before attempting to use it.

💡 Tip: Have a fall-back method if the sensor is unavailable. For example, an app attempting to use facial recognition on a device without a front-facing camera should initiate a prompt to the users so that they use alternative authentication methods like a PIN or password.

4They overlook Biometric Data Storage.

Improperly storing biometric data in the app’s local database can jeopardize user privacy and data security. Instead, engineers should rely on the secure hardware-backed keystore provided by the operating system to store biometric data safely. By utilizing the BiometricPrompt API, which manages biometric data within the keystore, we can ensure that sensitive information is protected from unauthorized access. This prevents direct access to the actual biometric data.

💡 Tips: Use a Secure Hardware-Backed Keystore. Rely on the secure hardware-backed keystore provided by the operating system to store biometric data securely. This ensures that biometric information remains protected from unauthorized access and potential data breaches. For instance, a healthcare app using fingerprint authentication should store biometric data securely within the Android Keystore, preventing direct access to the actual fingerprint templates.

– Encrypt your Biometric data. You may want to encrypt biometric data before storing it in the keystore to add a layer of protection. Proper encryption safeguards biometric information in case of any potential vulnerabilities or attacks.

5They have Inadequate User Feedback.

During biometric authentication, provide loading indicators or messages to let users know that the system is processing their biometric input. Offer clear instructions on how to place a finger on the sensor or position the face for facial recognition to ensure successful authentication. To illustrate this: say you have an app using facial recognition. Display a loading spinner or message like “verifying your identity…” while the system processes the user’s facial data. If the facial recognition fails due to low light conditions, display a response like “Please ensure good lighting for facial recognition” to guide the user to improve their chances of successfully authenticating themselves.

💡 Tip: Inform users if the biometric scan is taking longer than usual or if additional attempts are required. For Android, consider using the ‘onAuthenticationHelp’ callback to offer guidance when non-fatal errors occur.

By avoiding these mistakes, developers can build a robust biometric authentication feature that provides positive user experiences while maintaining privacy and data protection. Through comprehensive device testing and consistent user education, we can foster a wholesome digital environment where trust and convenience converge easily.

Additional Resources:

Ren is a software engineer interested in the intersection of data systems, mobile apps and medicine. She has a breadth of experience at Pfizer, the Mount Sinai Health System, and New York Presbyterian. She’s a chronic reader with a penchant for teas, Robusta beans and her cat, Chicken.