Biometrics such as fingerprints, facial recognition, iris scans, and voice authentication have long stood as a cornerstone of digital identity verification. According to a recent report on authentication experiences on banking applications in Viet Nam, biometrics are now dominating the authentication landscape, surpassing passwords, OTP codes, and other traditional methods to become the central trend in digital authentication.
However, the report reveals a turning point: one in three users is worried about biometric theft and counterfeiting. Across all age groups, users express concerns about where their facial and fingerprint data is stored, who manages it, and whether it might fall into the hands of malicious actors. Many believe that biometrics are not enough to protect their digital assets, particularly in the context of growing AI-driven attacks, data breaches, and privacy violations.
According to experts from VinCSS Internet Security Services Joint Stock Company, much of this concern arises from the lack of distinction between the role, implementation method, and context of biometric use in authentication. Biometrics are not always the main key to access. In some cases, they are used as a standalone form of authentication, such as scanning a fingerprint to open a door or using facial recognition to unlock a device. Online systems often adopt this model by storing biometric templates centrally on servers and comparing them against user scans. While common, this model introduces significant risk because of the central storage of sensitive data.
In other contexts, biometrics serve only as a supplementary form of authentication. Here, they act as a local input layer that unlocks another mechanism operating in the background. For example, in many banking applications today, a user may scan a fingerprint or face not to directly authenticate, but simply to trigger the automatic submission of a saved username and password. In such cases, biometrics are not the ultimate safeguard, but merely a convenient interface.
The real risk, therefore, lies not in the biometric technology itself but in the way it is applied. In offline environments where hardware is physically secured, the risk of spoofing is relatively lower. In contrast, online environments face greater vulnerability to AI-based attacks such as deepfakes or voice cloning. When biometrics are used as a standalone method in these settings, the level of risk increases substantially.
To address this challenge, VinCSS strongly recommends the combination of biometrics with passwordless authentication based on the FIDO2 standard. In this modern model, biometrics are used only locally to unlock a private key stored securely on the user’s device. Biometric data never leaves the device and is never stored centrally online, which minimizes the risk of theft or misuse. This approach transforms biometrics from a potential weakness into a private, powerful, and seamless layer of protection for end users.
VinCSS’s report does more than clarify the nature of biometrics. It also highlights the specific authentication needs of different age groups and measures user satisfaction across banks.
As Ms. Annie Quynh Anh, Head of Marketing at VinCSS, affirms: “This report is not just data, but also the voice of those who directly face security risks every day. VinCSS hopes that it serves as a valuable reference for banks, developers, policymakers, and end-users to review and upgrade authentication experiences, because it is increasingly becoming the foundation of digital trust.”
