* The iPhone stores your biometric data in its Secure Enclave
* The Secure Enclave also holds the cryptographic private keys
* Every action you do against the server requires your phone to add a cryptographic signature, which can only be written when the iPhone verifies you via FaceID
Apple could act as the Certificate Authority letting websites know that this signature aligns with an iPhone user. Apple may not need to let the website know exactly who performed the action, but just say that Apple verifies that this is a real person making the action.
* The iPhone stores your biometric data in its Secure Enclave
* The Secure Enclave also holds the cryptographic private keys
* Every action you do against the server requires your phone to add a cryptographic signature, which can only be written when the iPhone verifies you via FaceID
Apple could act as the Certificate Authority letting websites know that this signature aligns with an iPhone user. Apple may not need to let the website know exactly who performed the action, but just say that Apple verifies that this is a real person making the action.