Just for Face/Touch ID: There’s a chip in the device called the “Secure Enclave” designed specifically to store these biometrics. Essentially, your phone reads your face/fingerprint then passes the data to the Secure Enclave. The Secure Enclave then responds with “yes, passed the test!” Or “no, this is a different person”. That answer determines whether or not you’re allowed to login/view sensitive data/other protected actions.