First, there’s a part of the chip on the iPhone that’s walled off from the rest of the phone. It has its own little operating system and a little bit of storage, and it’s called the Secure Enclave. The rest of the phone can only send requests to the SE, like encrypt this, decrypt this, give me the keys for that, etc.

So when you put in a PIN for the first time, the OS tells the SE “Register this as the new PIN.” The SE then stores an encrypted key derived from the PIN. Then when you enter a PIN later, the OS asks the SE “Is this the right PIN?” The SE runs the entered PIN through the encryption to see if it comes out right, and then either denies the request because the PIN is wrong, or it passes on the keys to the OS that are necessary to unlock the phone.

The SE stores FaceID and TouchID data too. Now your face isn’t stored as a face, but a number algorithmically derived from what your face looks like. Same goes for your fingerprint. So when you register your face the OS tells the SE “This is an allowed face, store it.” Later you look at it, the OS sees a face, and it sends that to the SE asking “Is this a valid face?” The SE returns either a deny or the information necessary for the OS to unlock the phone.