You unlock your phone with your face, your fingerprint sends your laptop whirring into action, you pass airport security by glancing at a camera. Biometric technology has become so woven into the daily routine that for many people, it barely registers any more.
That invisibility is part of the point. These systems are usually fast, convenient and feel secure. Unlike a password, you can’t forget your face. But that doesn’t mean they are without risk.
Biometrics fall into two broad families: physiological (fingerprints, faces, irises, even nailbed patterns) and behavioural (how you walk or type, the rhythm of your speech, the angle you hold your phone).
Both forms are already being widely used – you just may not realise it. Many banks and retailers now monitor how you interact with your device – from swipes, taps and scrolls to the angle you hold your phone, the rhythm of how you move between fields, and the pressure of your touch. If someone else picks up your unlocked phone and tries to access your banking app, this can automatically trigger a fraud alert.
My research with colleagues even shows it’s possible to infer a user’s name and native language from the timing patterns of their keystrokes.
The graphic below shows the full extent of biometric technologies. Those marked dark green are in widespread commercial and government use today – including less-familiar examples such as the veins in your hand and other bodily vein patterns.
Physiological and behavioural biometric systems:
Oli Buckley, CC BY
Gait analysis – reading how you walk – is already used for security and surveillance purposes, from venue access to detecting potentially suspicious behaviour. You can wear a mask, pull up a hood, avoid looking at a camera – but you can’t easily change how you walk.
China’s authorities have been using this technology for nearly a decade. And in 2023, the UK’s Biometrics and Forensic Ethics Group flagged gait recognition for ethical guidance. This is usually a sign that operational use isn’t far behind.
A number of other biometric technologies (marked light green), ranging from skin texture and ear shape to micro-expressions and hand-grip patterns, are being actively researched for use in the near future. A further group (marked red) have so far only been demonstrated in the laboratory. But even body odour and breath signatures are further along than their novelty might suggest.
What once felt like science fiction is now embedded in our everyday lives. You can’t always see this technology, and you can’t always opt out. But knowing it exists is the first step to understanding how much of yourself you’re already sharing.
V is for vulnerability
In April 2026, financial security expert Li Chang showed Chinese TV viewers how AI tools could extract a celebrity’s fingerprints from a single selfie. The culprit? The classic V-sign, finger pads pointed straight at the lens.
This built on work by Japan’s National Institute of Informatics which in 2017 showed that usable fingerprints could be lifted from photos taken up to three metres away. And phone camera technology has only got better since then.
In the UK, police have made at least two arrests based on fingerprints lifted from photos: one from a WhatsApp image of a hand holding ecstasy pills, the other when a drug dealer was identified from a photo of him holding a block of Stilton cheese.
This technology can work in the other direction too. In the Chinese city of Hangzhou in July 2025, criminals reportedly tried to unlock a smart door using a photo the homeowner had posted online with his fingers visible. The attempt failed but the intent was clear.
While this kind of targeted, technically demanding attack is still unusual, there are some precautions I would advise taking as the use of biometric technology grows.
How to protect yourself
First, be selective about when you agree to share biometric data – fingerprints, face, iris, voice, all of it.
Most modern smartphones store biometric templates in a secure chip that never leaves the device. But third-party apps and workplace systems rarely offer the same guarantee.
In July 2024, US tech giant Meta paid the state of Texas US$1.4 billion (£1.1bn) after running facial recognition on users without consent. This followed a class-action settlement with TikTok’s parent company ByteDance in Illinois for US$92 million over similar allegations.
So, try to keep track of which apps have access to your camera and microphone. On both iOS and Android, this takes about two minutes. And don’t use biometrics as the only layer of security – make sure there’s a second step.
Three potential biometric weakpoints
Voice: This is probably the most casually surrendered biometric. AI voice cloning requires only seconds of audio to produce a convincing replica, and it’s being used in fraud calls impersonating family members. This is a far more realistic – and terrifying – version of the virtual kidnapping scam that’s been around for years. Establishing a safe word with the people closest to you for any unexpected financial request is a simple and underrated defence.
Eyes: Iris recognition is considered robust because this coloured eye muscle has around 250 measurable features – far more than a fingerprint – and remains stable throughout your life. But the quiet expansion of eye-tracking data collected through VR headsets, for example, is going unnoticed. Check the privacy settings on any VR device you use, and be aware that gaze data is increasingly treated as a commercial asset by platforms that collect it.
Fingerprints: Beyond being careful what you point at the camera, know where you’ve enrolled your fingerprint. Workplace access systems and payment terminals vary widely in how they store and protect data – and unlike your phone, they’re not legally required to tell you.
None of this means biometric systems are broken. For most purposes, they are more secure than the passwords they are replacing. The question is not whether to engage with these systems – they’re already too embedded to avoid. It’s whether we’re engaging with our eyes open – eyes that are, of course, already regularly being scanned.
Oli Buckley receives funding from UKRI (including EPSRC and ESRC).
