Biometric Authentication

Biometric authentication uses your unique physical characteristics to secure your Balance account. This guide explains how it works and why it’s secure.

What is Biometric Authentication?

Biometric authentication verifies your identity using:

• Face ID - Facial recognition (iOS)
• Touch ID - Fingerprint scanning (iOS)
• Fingerprint - Fingerprint sensor (Android)
• Face Unlock - Facial recognition (Android)

Instead of typing a password, you use something unique to you—your face or fingerprint—that can’t be easily stolen or guessed.

Why Biometric Authentication is Secure

Unique to You

• Your biometric data is unique - No two people have the same fingerprint or face
• Can’t be guessed - Unlike passwords, can’t be brute-forced
• Can’t be stolen online - Biometric data isn’t transmitted over internet
• Hard to forge - Modern systems detect fake attempts

Protected by Hardware

• Secure Enclave (iOS) - Dedicated security chip stores biometric data
• TEE (Android) - Trusted Execution Environment isolates biometric data
• Never leaves device - Biometric data stays on your phone
• Encrypted storage - Even on device, it’s encrypted
• OS-protected - Only operating system can access

Additional Security Layers

• Liveness detection - Ensures you’re present (not a photo)
• Attention detection - Face ID requires you to be looking
• Failed attempt limits - Multiple failures require password
• Time delays - Increasing delays after failed attempts

How Balance Uses Biometric Authentication

What Gets Stored

When you enable biometric login in Balance:

1. Your credentials encrypted - Username/token encrypted
2. Stored in device keychain - iOS/Android secure storage
3. Protected by biometric - Only unlocked with your biometric
4. Device-specific - Each device stores its own

Balance never receives:

• ❌ Your fingerprint image
• ❌ Your face scan
• ❌ Biometric templates
• ❌ Any biometric data

Balance only knows:

• ✅ You enabled biometric login
• ✅ Authentication succeeded or failed

The Authentication Flow

1. You open Balance app
2. Biometric prompt appears - “Log in with Face ID”
3. You authenticate - Look at device or scan finger
4. Device verifies - Checks against stored biometric
5. Keychain unlocked - Your encrypted credentials retrieved
6. Balance logs you in - Using the decrypted credentials
7. You’re in! - Access to your account

All biometric verification happens on your device - Balance just receives “authenticated” or “failed.”

Security Advantages

Over Passwords

Passwords can be:

• 👁️ Seen over your shoulder
• 💾 Saved insecurely
• 🤔 Forgotten
• 📝 Written down
• 🔓 Reused across sites
• 🎣 Phished
• 💻 Keylogged

Biometrics:

• ✅ Can’t be seen or stolen
• ✅ Can’t be forgotten
• ✅ Don’t need to be written down
• ✅ Unique to each person
• ✅ Can’t be phished
• ✅ Can’t be keylogged

Over PINs

PINs can be:

• 👀 Observed
• 🤖 Brute-forced (4-6 digits)
• 🧠 Forgotten
• 📱 Left visible on device

Biometrics:

• ✅ Can’t be observed
• ✅ Billions of possible combinations
• ✅ Can’t be forgotten
• ✅ Part of you

Platform-Specific Security

iOS - Face ID

How Face ID works:

1. TrueDepth camera - Projects 30,000 infrared dots
2. 3D face map created - Depth map of your face
3. Neural networks - Process and match the data
4. Secure Enclave - Match happens in secure chip
5. Result only - Only “match” or “no match” leaves Secure Enclave

Security features:

• Attention detection - Must be looking at device
• Adaptive learning - Learns gradual face changes (beard, glasses)
• Anti-spoofing - Cannot be fooled by photos or masks
• 3D depth required - 2D images don’t work
• Infrared-based - Works in dark

Security stats:

• 1 in 1,000,000 chance - Random person could unlock (vs 1 in 50,000 for Touch ID)
• Twins/siblings - May have reduced security
• Updates improve - Machine learning gets better over time

iOS - Touch ID

How Touch ID works:

1. Capacitive sensor - Reads fingerprint ridges
2. High-resolution image - 500 pixels per inch
3. Multiple angles - Each unlock adds to template
4. Secure Enclave storage - Fingerprint never leaves
5. Comparison - Match happens in secure chip

Security features:

• Subsurface scanning - Reads beneath skin surface
• Living tissue detection - Won’t work with fake fingers
• Multiple fingerprints - Can enroll up to 5
• Regular re-check - Periodically requires password

Security stats:

• 1 in 50,000 chance - Random person could unlock
• 48 hours - Requires password after 48 hours of no use
• After restart - Password required after device restart

Android - Fingerprint

How fingerprint works (varies by device):

1. Sensor technology - Optical, capacitive, or ultrasonic
2. Fingerprint capture - Multiple scans during enrollment
3. Template created - Mathematical representation stored
4. TEE storage - Stored in Trusted Execution Environment
5. Comparison - Matching done in secure hardware

Security features:

• Liveness detection - Most modern sensors detect living tissue
• Multiple enrollments - Usually 4-5 fingerprints
• Fallback to password - Required after failed attempts
• Secure hardware - Biometric data isolated from OS

Security varies by:

• Device manufacturer
• Sensor technology
• Android version
• Hardware security features

Android - Face Unlock

How face unlock works (varies widely):

High-end devices:

• Similar to Face ID
• 3D facial mapping
• Infrared sensors
• Secure processing

Standard devices:

• 2D camera image
• Software matching
• Less secure than Face ID

Security consideration:

• Not all Android face unlock is equal
• Some can be fooled by photos
• Check device security rating
• Fingerprint often more secure on Android

Biometric Security Best Practices

Do’s

For Maximum Security:

• ✅ Enable biometric login - More secure than passwords alone
• ✅ Use strong password backup - Still needed occasionally
• ✅ Keep device updated - Security improvements in updates
• ✅ Enable device lock - Screen lock prevents physical access
• ✅ Clear biometrics if device shared - Remove others’ biometrics
• ✅ Re-enroll periodically - For better accuracy (fingerprint)

Don’ts

Avoid These Mistakes:

• ❌ Don’t share devices - Others might add their biometrics
• ❌ Don’t enroll others - Never add someone else’s biometric
• ❌ Don’t disable device security - Always have screen lock
• ❌ Don’t ignore biometric failures - Multiple failures could indicate attack
• ❌ Don’t use on highly shared devices - Better for personal devices

Limitations & Considerations

When Biometrics Don’t Work

Password required after:

• Device restart or power on
• 48+ hours without unlocking
• 5 failed biometric attempts
• Remote lock command
• Enrolling new biometric
• Sometimes after app updates

Physical limitations:

• Wet fingers - Touch ID may not work
• Gloves - Fingerprint won’t work with gloves
• Face coverings - Face ID requires visible face (with mask)
• Sunglasses - Very dark sunglasses may block Face ID
• Extreme lighting - Very bright or dark conditions

Privacy Concerns

Law enforcement access:

• Some jurisdictions allow forced biometric unlock
• Cannot be forced to reveal password (5th Amendment in US)
• Consider disabling biometric in sensitive situations

Shared device scenarios:

• Family member might unlock while you sleep
• Consider password-only in these situations

Medical situations:

• Biometric might be accessible if incapacitated
• Consider emergency contacts who should have access

Combining Security Methods

Layered Security

Best practice: Use multiple security layers

1. Biometric login - Convenient daily access
2. Strong password - Backup method
3. Device lock - Physical security
4. 2FA (when available) - Additional verification

Example scenario:

• Biometric for quick daily access
• Password for sensitive changes
• Device lock prevents access if phone lost
• 2FA prevents remote compromise

Two-Factor Authentication (Coming Soon)

Balance is working on 2FA:

• Code sent to phone/email
• Required for sensitive actions
• Even if biometric compromised
• Additional security layer

Learn more about 2FA →

Biometric vs Password Security

Scenario Comparison

Bottom line: Each has strengths. Using both provides best security.

Disabling Biometric Login

When to Disable

Consider temporarily disabling biometric:

• Traveling internationally - Border security concerns
• Sensitive meetings - Extra privacy needed
• Lending device - Temporarily sharing device
• Lost/stolen - If you can remotely access device
• Upgrading phones - Before transferring device

How to Quickly Disable

iOS:

• Press side button + volume button
• “Slide to Power Off” appears
• Press Cancel
• Face ID/Touch ID now disabled (password required)

Android:

• Press and hold power button
• “Lockdown mode” option
• Disables biometric until next password entry

In Balance:

• Settings menu
• Toggle biometric login off
• Stored credentials cleared

Future Enhancements

Balance may add:

• Biometric for sensitive actions - Require Face ID to delete accounts
• Biometric settings - More granular control
• Fraud detection - Alert on unusual biometric patterns
• Voice authentication - Additional biometric option

Common Questions

Q: Is biometric authentication safer than a password?
A: Generally yes, especially against remote attacks. However, it has different weaknesses (can be forced in person). Best security uses both.

Q: Where is my fingerprint/face data stored?
A: Only on your device, in a secure hardware chip. It never leaves your phone and Balance never sees it.

Q: Can Balance access my biometric data?
A: No. Balance only receives “authenticated” or “not authenticated” from your device’s operating system. The biometric verification happens entirely on your device.

Q: What if someone uses my finger while I’m asleep?
A: This is possible but unlikely. Consider using only Face ID (requires attention) or disabling biometric in these scenarios.

Q: Can twins unlock each other’s Face ID?
A: Possibly. Face ID security is reduced for identical twins. Consider using a password in these cases.

Q: What happens if I change my fingerprints (injury)?
A: Re-enroll your fingerprint in device settings. You can also enroll multiple fingers as backup.

Q: Does biometric authentication work offline?
A: Yes! The verification happens entirely on your device without internet.

Q: Will my face/fingerprint change affect authentication?
A: Minor changes (glasses, beard, aging) are learned over time. Major changes may require re-enrollment.

Technical Details

For the technically curious:

Secure Enclave (iOS)

• Separate processor - Isolated from main CPU
• Encrypted memory - Biometric data encrypted
• Boot chain - Verified secure boot
• No direct access - Even Apple can’t access
• Key generation - Creates unique encryption keys

Trusted Execution Environment (Android)

• Isolated area - Separate from main OS
• Secure boot - Verified boot process
• ARM TrustZone - Hardware-based security
• Keymaster - Manages cryptographic keys
• Manufacturer specific - Implementation varies

Biometric Storage

What’s stored:

• Mathematical template (not image)
• Unique to device
• Cannot be reverse-engineered to image
• Encrypted with device-specific keys

What’s NOT stored:

• Actual fingerprint image
• Face photograph
• Raw biometric data
• Anything that could recreate your biometric

Next Steps

Learn more about Balance security:

• How Balance Keeps Your Data Safe - Overall security measures
• Biometric Login Setup - Enable biometric authentication
• Password Best Practices - Create strong passwords
• Two-Factor Authentication - Additional security layer

Questions about biometric security? Contact our team - we’re here to help!