If the token is signed you could validate it with Apple (or the vendor that implemented the face recognition on the device, eg Samsung, Nokia, pinephone etc).
You just need an open standard, you could even embed the url of the validating api in the token, so anyone could create their own Face ID provider.
You just need an open standard, you could even embed the url of the validating api in the token, so anyone could create their own Face ID provider.