That doesn’t sound quite right. The biometric data is on the local device only. It’s used to “unlock” a long encryption key which is then used to authenticate with the server. Honestly, still learning about these myself. It looks like a good solution if they are implemented properly. I read this which was useful.