The Next Security Standard: Why JPMorgan’s Mandatory Biometrics Make Sense—for Safety, Trust, and the Future of Work

​​By: Amy Osteen - General Counsel of Alcatraz

When JPMorgan Chase opened its new Manhattan headquarters, the talk wasn’t just about the impressive architecture. What got people’s attention was how you get inside: biometrics, not badges or PINs. For most employees, you show up, and the system knows it is you.

Reactions, naturally, were all over the place. People wondered, “Is this going too far?” and “Can’t I choose not to use it?” It’s a fair question. Biometric security has picked up a lot of baggage from movies and headlines. But if you look closely, JPMorgan’s choice feels less “Big Brother” and more . . . responsible. It’s about keeping people and assets safe, meeting legal requirements, and bringing a bank's security practices into the present.

Disclosure: Alcatraz wasn’t the vendor for JPMorgan’s HQ, and I’m not here to speak for them or their tech provider. I am, though, the General Counsel for Alcatraz. I see firsthand how smart security can actually make workplaces more trustworthy, not less, when privacy is part of the blueprint.

We work daily with organizations that take security and employee protection seriously. It bugs me when privacy-focused biometrics get mixed up with “surveillance society” fears. As far as I can tell, JPMorgan is not secretly watching its employees. They are simply verifying identity, letting trusted folks in, and keeping others out. That difference—verification versus surveillance—is really where our conversation needs to start.

A Doorway Moment: Two Different Journeys

Picture this.

Person One is a managing director enrolled in the company’s biometric access system. She walks up to the entrance, and her face is scanned for a match. Her identity is confirmed, the door unlocks, and her entry is logged. She knows her access is tied to an encrypted string of 0s and 1s, not to her photo or personal identifiers. Her access can’t be borrowed, shared, or lost.

Now Person Two lingers behind, hoping to tailgate into the building. In a modern biometric system, the door won’t unlock again for someone it doesn’t recognize, but it may still remain open for a few seconds after Person One’s authentication, which allows tailgating to occur. When Person Two slips in, the system immediately detects that someone who isn’t enrolled has entered and triggers an alert. It doesn’t search databases or try to identify who Person Two is. It simply knows they’re not on the authorized list. A photo of the tailgating event is captured for security review, but no biometric data is collected or stored from that person. Nothing personal lingers afterward, only an alert that access wasn’t properly authenticated.

This isn’t biometric surveillance. It is real-time, respectful authentication. And for banks, and any organization handling sensitive assets or data, that matters.

What Are Facial Biometrics, Really?

Most people picture biometrics as some huge government database tracking faces. In modern authentication systems, like Alcatraz Rock, it’s a lot simpler. No photos, facial maps, or fingerprints are stored. Just mathematical templates. Encrypted strings of numbers calculated in a way that cannot be reversed into an image.

Imagine a lock that recognizes the pattern of a key, but doesn’t care what metal it’s made of or its color. Your “face” isn't kept anywhere, only a digital key that’s useful for one purpose, to unlock the code that unlocks the door. If you leave the firm, that encrypted math is deleted.

Even if someone managed to steal the key from Alcatraz, which is practically impossible thanks to local processing and 256-bit encryption, it wouldn’t give them any information about you. Nada. Nothing. Just something like this: 

0001001001110001110000110001000100010010000001100.

The Opt-Out Debate and a Practical Perspective

Still, it’s completely reasonable for employees to want control over their personal information, especially something as unique as biometric data. People ask if they can opt out, hoping to balance privacy with their day-to-day work life.

But the reality is that joining any organization comes with certain required systems and responsibilities—the foundation for trust between company and employee. Payroll, compliance, security, and access controls are just a few examples. Let’s take a closer look at why opting out of these core protections may not make sense in workplaces where security really matters.

Why Opt-Out Isn't Really an Option

You can’t opt out of payroll systems, background screening, or giving your Social Security number to Janet in HR before you start work. When you join a firm, security and HR systems are part of the deal.

Biometrics are just the newest part of that toolkit, helping companies protect people and resources better. You could opt out by working somewhere else, but once you’re in, using the core security tools just comes with the job description.

Strong and verifiable access control isn’t optional; it’s a must, especially for banks and workplaces with high risks.

The Irony: Biometrics Actually Protect Your Privacy

And here’s the twist—not only does biometric authentication block unauthorized entry, it’s also what’s standing between hackers and your personal information. The file cabinets and databases house data like your Social Security number, medical records, salary details, and even your children’s insurance paperwork. All of these live behind locked office doors, secure server rooms, and internal systems that must stay protected.

Biometric security isn’t just preventing a random intruder from wandering down the hallway. It’s keeping thieves out of the finance office, blocking access to HR files, and keeping attackers away from your payroll records and health benefits information. If someone can’t get through the physical doorway or access control system, they can’t get to your W2, your retirement account, or the company’s banking data.

It goes beyond physical security, too. With more companies seeing cyber breaches start as physical breaches—think of someone plugging into a server in a closet or stealing paper files from a desk—the strongest digital firewall in the world won’t matter if someone can walk into the room and log on.

So, when you scan your face to enter a secure area, you’re not just “proving you’re you.” You’re actively protecting all the private data your company holds about you and your colleagues. That’s the real irony: biometrics aren’t just about security; they’re one of the strongest ways to protect privacy in today’s connected workplaces.

Lawmakers, Technology Choices, and The Baby with the Bathwater

But we get it. We know Alcatraz inside and out, but when it comes to other vendors, we don’t always know their approach or what’s happening beneath the surface. That’s why we support lawmakers who work hard to build real protections for privacy and security. It’s an important job, and one that’s getting more complicated every year.

Sometimes, good intentions can go too far. For example, lawmakers can focus too much on preventing the worst tech and accidentally block innovations that could protect people even better than traditional tools. Finding the right balance in a fast-changing industry is hard, especially when every solution seems high-tech from the outside.

On one hand, regulators are cautious when hearing about all the loud concerns regarding biometric privacy—sometimes the debate is so filled with headlines and opinions that crucial details get overlooked. But when examining the actual laws, there’s a clear focus: laws in Europe (GDPR), California (CCPA), Illinois (BIPA), Texas (TRIAGA), and at the federal level (GLBA and others) are designed to ensure sensitive places and information are protected in concrete, measurable ways.

That means access needs to be confidential, accurate, and resilient. To translate that into everyday practice:

• Every door and entry has to be tied to real verified and pre-enrolled people.
• Credential sharing and tampering need to be stopped, not just discouraged.
• Companies must log every access event with clarity, not leave gray areas for guessing.

Badges, devices and PINs just can’t meet that standard anymore. They’re too easy to share, lose, or steal. When breaches or investigations happen, auditors and regulators aren’t interested in stories—they want concrete proof of who, when, and how.

This leads to a bigger truth. The real vulnerability for most organizations was never the technology in the code—it was the physical badge itself. Badges have had their moment, but now they’re becoming the weakest link. They get lost, borrowed, and used by people who shouldn’t be there. As a result, audit trails break down, and companies end up facing big compliance gaps, sometimes even lawsuits.

Biometrics, by comparison, tie every access event directly to a living, breathing individual. No more passing cards or devices, sharing codes, or sneaking through the back door. In industries involving privacy, money, and sensitive data, that type of certainty isn’t just a nice upgrade. It’s the new requirement.

Conclusion: Security That’s Accountable and Private

I don’t believe that JPMorgan’s biometric access policy was designed to spy. It is about ensuring that security is as strong, fair, and accountable as possible. Building security with privacy at its core is how the best companies earn employee trust.

As threats increase and old systems become outdated, the safest key to any building truly is each individual—when that key is safeguarded by the right technology, transparent design, and respect for privacy and people.

If you want to know how Alcatraz does that, email me at amy@alcatraz.ai. I’ll walk you through how we’ve built The Rock to keep people safe and private, because those two things should always go together.