Touch the sensor. A WebAuthn authentication request will invoke your device's
biometric hardware — the same sensor your banking app, phone lock screen,
and government ID app use. Below you will see exactly what the browser receives,
and what a native app receives instead. The difference between these two lists
is where your privacy lives or disappears.
Your fingerprint template never leaves the secure enclave — in the browser.
Native apps, MDM profiles, and OS-level APIs operate under entirely different rules.
India's Aadhaar system has centrally stored fingerprints of 1.4 billion people.
China's Social Credit system links biometric data to financial and movement records.
The EU's Entry/Exit System began fingerprint collection at all external borders in 2024.
The sensor in your phone is neutral. Who calls it — and what they do with the result — is not.
ready — press the button above
what the browser receives
credential id (site-scoped, non-portable)—
authenticator type—
user biometrically verified—
public key (COSE format)—
authenticator data (hex excerpt)—
what the browser never receives
fingerprint templatewithheld by secure enclave — cryptographic guarantee
ridge minutiae mapnever crosses the hardware boundary
biometric match scoreonly a boolean result is returned
enrollment imagedestroyed after template generation at enrollment
what a native app may receive instead
biometric match scoreavailable via proprietary OEM APIs on some platforms
enrollment metadatanumber of enrolled fingers, failure counts, last enrollment date
liveness / anti-spoof resultpresentation attack score — logged and transmitted by some SDKs
partial feature vectorssome banking and government SDKs expose geometric features, not full templates
sensor hardware identifiermanufacturer, model, and firmware version — fingerprints your device
▶ WebAuthn and the secure enclave
WebAuthn (FIDO2) is designed so that biometric data never leaves the device's secure
enclave — a hardware-isolated cryptographic processor separate from the main CPU.
When you authenticate, the enclave performs the biometric match internally and returns
only a cryptographic signature, not the fingerprint itself.
Native apps operate differently. Android's BiometricPrompt API and iOS's LocalAuthentication
framework give developers a result — but OEM-specific and enterprise APIs expose
substantially more. Government ID apps, banking fraud systems, and enterprise MDM
profiles often access enrollment metadata, liveness scores, and partial feature data,
sometimes with explicit consent buried deep in terms documents, sometimes without.
The credential ID shown is scoped to this domain and cannot be used to link your
identity across other services. That constraint is WebAuthn by design.
Native app databases are not bound by it.