Note that biometric data never leaves the phone (or PC). It’s also converted in a way that can’t be reversed to the original fingerprint or face image, and stored encrypted on the phone. So even if someone hacked into your phone and got hold of that data, they would not be able to use it to identify you anywhere else.
The way biometrics are used for signing is that you present your fingerprint / face / PIN etc to the device to authorise it to access the stored passkey for a particular service. The passkey itself never leaves the phone: it is the ‘private’ part of a public-private key pair to which the service’s server holds the ‘public’ key.
This is Apple’s explanation of how passkeys work.
From that article (with my emphasis):
Passkeys are built on the WebAuthentication (or “WebAuthn”) standard, which uses public key cryptography. During the account registration process, the operating system creates a unique cryptographic key pair to associate with an account for that app or website. These keys are generated by the device, securely and uniquely, for every account.
One of these keys is public and is stored on the server. This public key is not a secret. The other key is private and is what is needed to actually sign in. The server never learns what the private key is. On Apple devices that support Touch ID or Face ID, these authentication methods can be used to authorise use of the passkey, which then authenticates the user to the app or website. Shared secrets are not transmitted and the server does not need to protect the public key. This makes passkeys very strong, easy-to-use credentials that are highly phishing-resistant. And platform vendors have worked together within the FIDO Alliance to make sure passkey implementations are compatible cross-platform and can work on as many devices as possible.
This mechanism is far more secure than passwords.
