Users are losing trust in biometrics, report says

But a new report on banking-app authentication finds a turning point: one in three users worries about biometric theft and spoofing, and many are unsure where their face and fingerprint data are stored, who controls it, and how it might be misused.

Many believe that biometrics are not enough to protect their digital assets, particularly in the context of growing AI-driven attacks, data breaches, and privacy violations.

A recent report on authentication experiences on banking applications in Viet Nam shows that biometrics are now dominating the authentication landscape, surpassing passwords, OTP codes, and other traditional methods to become the central trend in digital authentication. Photo courtesy of VinCSS

Experts at VinCSS Internet Security Services JSC say much of this concern arises from the lack of distinction between the role, implementation method, and context of biometric use in authentication. Biometrics are not always the main key to access. In some cases, they are used as a standalone form of authentication, such as scanning a fingerprint to open a door or using facial recognition to unlock a device. Online systems often adopt this model by storing biometric templates centrally on servers and comparing them against user scans. While common, this model introduces significant risk because of the central storage of sensitive data.

In other contexts, biometrics serve only as a supplementary form of authentication. Here, they act as a local input layer that unlocks another mechanism operating in the background. For example, in many banking applications today, a user may scan a fingerprint or face not to directly authenticate but simply to trigger the automatic submission of a saved username and password. In such cases, biometrics are not the ultimate safeguard but merely a convenient interface.

The real risk, therefore, lies not in the biometric technology itself but in the way it is applied. Physical hardware security in offline environments significantly reduces the risk of spoofing. In contrast, online environments face greater vulnerability to AI-based attacks such as deepfakes or voice cloning. When biometrics are used as a standalone method in these settings, the level of risk increases substantially.

To address this challenge, VinCSS strongly recommends the combination of biometrics with passwordless authentication based on the FIDO2 standard. In this modern model, biometrics are used only locally to unlock a private key stored securely on the user's device. Biometric data never leaves the device and is never stored centrally online, which minimizes the risk of theft or misuse. This approach transforms biometrics from a potential weakness into a private, powerful, and seamless layer of protection for end users.

VinCSS's report does more than clarify the nature of biometrics. It also highlights the specific authentication needs of different age groups and measures user satisfaction across banks.

This was one of the first report on authentication experience in banking apps in Vietnam. Photo courtesy of VinCSS

"As this report shows, it's not just data—it's the voice of users who face security risks every day," said Annie Quynh Anh, Head of Marketing at VinCSS. "We hope it helps banks, developers, policymakers, and end users review and upgrade authentication experiences, because they are increasingly the foundation of digital trust."

See the full report here.