Biometric system is a system that identifies or authenticates you based on "who you are". Fingerprint, Retina scan, Face scan and so on. You saw them, right?

Biometric systems have a principal difference to password-based systems.

When you type a password, a computer just needs to compare two strings: what you typed and a password you set before. If they are equal, you are in. The error rate of strings comparison of modern computers is 0.

Another story is when bio parameters comparison is required. In this case, a computer needs to compare one "image" with another. And those "images" are far from being identical, even if they belonged to the same person. Different photo angel, other lightning conditions, different photo composition and so on. Scientists have learned how to solve this problem effectively, but at the bottom of any such solution is the probability theory. In fact, the biometric system replaces in the equation "equal" sign with "very very similar" sign.

That brings the whole new area of possible error sources. And they are pretty fun comparing to a passwords world. Reasonable behaviour is when an "Owner is allowed" and "Intruder is rejected". But there are two other possible scenarios.

1. Owner is rejected. It is when a legitimate owner was denied by the system and cannot enter it. This is a problem, inconvenience, but not a fatal security issue. The rate of such mistakes is called a False Rejection Rate (FRR).

2. Intruder accepted. It is when a malefactor was granted access to the system. This is a real security problem! The rate of such mistakes is called False Acceptance Rate (FAR).

FRR and FAR are linked to each other. When you develop a system, you start balancing these two types of errors. The more strict the system, the less chance of letting intruder in, but the bigger the chance of rejecting a legitimate owner. Users become unhappy. So you make it less restrictive, it still seems to be working, all authorized users can log in, but now every tenth attacker is welcome:)

The worst possible biometric system is based on simple photo images. The best possible is when multiple biometric parameters are required. Anyway, biometric authentication along can be used in non-critical systems only. And do not forget that it is hard to change your face, if it was once compromised.

P.S. (1) In fact authentication server should never compare passwords itself, but hashes of passwords. That does not affect the substance of the explanation I made above, as hashes are still strings. (2) Biometric systems do not compare images in the sense of "photography". In fact, they can store parameters of a scanned biometric object in the form of a matrix, but it is easier to think about it as an "image".