How does Apple FaceID authentication work?

I gave my son my passwords to Fidelity Investments and my Spectrum Internet account. On his phone, he logged into both apps with my passwords and only needed his face (using FaceID) to access those two accounts. However, one day I wanted to take away his access and changed passwords to both of those accounts, yet he continues to have access to my accounts on his phone using just FaceID.

I thought FaceID ==> gives the phone owner access to the passwords saved on the phone. Now it looks that the phone owner's face gives direct access to once authenticated apps on the phone. Is that how FaceID works? And there's no way for me to revoke his access to my accounts?

Solution 1:

Apple provides Face ID authentication to apps, but they choose how to use it. When the app uses Face ID (or Touch ID) it requests the system to authenticate the user. The system shows the Face ID prompt and comes back to the app with the result. This is the end of the Face ID process.

At this point, the app can do what they want. In the situation you've described, the app is saving the login information and using that information after the system indicates Face ID was successful.

Most apps have a function to sign out existing users. This might only be presented when changing a password or on the security page at any time. This would log out the application, regardless of the Face ID status.

If this function isn't readily available, you must contact the company that produces the app and ask them how to log out everybody using your account.