“So where does my face go?” Every campus biometric program eventually faces that question from a student holding a microphone, and the program’s fate depends on whether the answer is specific or soothing.
Here is the specific answer: in a well-built facial authentication system, your face doesn’t go anywhere — a 3D scan is converted, on the device, into an encrypted mathematical template that cannot be turned back into an image, no photograph or video is stored, and the template is deleted when you revoke consent. This post unpacks each clause of that sentence, because each one is doing real work.
What is a biometric template?
Not a photo. Not a compressed photo. Not a photo with extra steps. Enrollment measures the geometry of a face in three dimensions and runs those measurements through a one-way algorithm, producing a string of numbers — the template — that the system can compare against a live face but that cannot be reversed into a picture. The relationship is like a document and its hash: the hash proves a match, and no amount of staring at it reproduces the document. “Non-reconstitutable” is the term of art, and it’s the property that separates a template store from the image databases that headlines are made of.
What happens at the door?
The live process mirrors the enrollment. You approach; the reader captures a 3D, liveness-checked view — depth, not a flat picture, which is why a photo or a phone screen held up to the device fails — computes the same kind of measurements, and compares them to your template. One-to-one: your live face against your enrolled math, never a search of everyone’s. The match completes at the edge, on the device, in under a second, and what leaves the reader is an access decision to the campus’s existing control system — the same signal a badge would have sent. No image of the moment is kept. The distinction between this and crowd-scanning systems is the subject of the authentication-versus-recognition post; the short version is that this system has no gallery to search and no mode in which it evaluates people who never enrolled.
Where does the template live, and how is it protected?
Encrypted — AES-256 at rest, TLS 1.2/1.3 whenever data moves — and held within the campus deployment, managed through the Alcatraz Platform. No photos, names, or videos are stored on the reader itself, so the device at the door holds nothing a thief could parade. The full privacy architecture documents the flow end to end, and the attack-surface analysis — what an adversary who compromised each layer could and could not obtain — gets its own treatment in the security post.
What happens when you leave, or change your mind?
Revocation deletes the template — not deactivates, deletes — and the consent record notes the withdrawal, giving you and the institution an auditable trail from opt-in to opt-out. Graduation and separation run the same machinery through the platform. And because enrollment was opt-in with a badge fallback at every door, changing your mind costs nothing: you tap a card tomorrow like you did before you enrolled. The consent lifecycle — what you agreed to, in what words, with what deletion clock — is governed by the document covered in the consent form guide.
The limits, stated plainly because trust is built on them: this describes the biometric layer, not the access log — the record that your credential opened a door exists in the campus ACS exactly as badge reads always have, under the institution’s existing policies. And “cannot be reconstituted” is a property of the algorithm, not a magic spell; it’s why the algorithm choice, the encryption, and the governance around both all have to hold at once.
If your campus is fielding the microphone question now, book a demo — the enrollment-to-deletion walkthrough is the answer in demonstrable form.
Frequently asked questions
Is a biometric template just a stored photo?
No. Enrollment runs 3D facial measurements through a one-way algorithm, producing an encrypted string of numbers that can confirm a match but cannot be reversed into an image. No photographs, names, or videos are stored on the reader at all.
If the system is breached, can someone get my face?
The stored artifact is a non-reconstitutable template protected with AES-256 at rest and TLS 1.2/1.3 in transit, and matching happens on the device rather than in a central image database. What an attacker could obtain is math that does not turn back into a person.
What happens to the template at graduation or revocation?
It is deleted, and the consent record notes the withdrawal — an auditable trail from opt-in to opt-out. Because enrollment was optional with a badge fallback at every door, revoking costs nothing: the card works tomorrow the way it did before enrollment.