Existing privacy-preserving biometric authentication (PPBA) schemes predominantly assume semi-honest adversaries, rendering them vulnerable to malicious attacks. Method: We propose the first efficient PPBA protocol secure against malicious adversaries, integrating lightweight secret sharing with two-party secure computation to construct an integrity-auditable authentication architecture. The design natively supports diverse similarity metrics—including span-based measures—without requiring modifications to server-side logic. We introduce a low-overhead maliciously secure integrity verification mechanism and optimize both communication and computational workflows. Contribution/Results: We formally prove the protocol’s correctness and malicious security. Experiments demonstrate that, under LAN and WAN settings, our protocol reduces communication overhead by 97.61–110.13× and end-to-end authentication latency by 2.72–8.51× compared to state-of-the-art baselines, significantly enhancing robustness, flexibility, and practicality.

Privacy-preserving biometric authentication (PPBA) enables client authentication without revealing sensitive biometric data, addressing privacy and security concerns. Many studies have proposed efficient cryptographic solutions to this problem based on secure multi-party computation, typically assuming a semi-honest adversary model, where all parties follow the protocol but may try to learn additional information. However, this assumption often falls short in real-world scenarios, where adversaries may behave maliciously and actively deviate from the protocol. In this paper, we propose, implement, and evaluate $sysname$, a underline{F}lexible and underline{L}ightweight biometric underline{A}uthentication scheme designed for a underline{M}alicious underline{E}nvironment. By hybridizing lightweight secret-sharing-family primitives within two-party computation, $sysname$ carefully designs a line of supporting protocols that incorporate integrity checks with rationally extra overhead. Additionally, $sysname$ enables server-side authentication with various similarity metrics through a cross-metric-compatible design, enhancing flexibility and robustness without requiring any changes to the server-side process. A rigorous theoretical analysis validates the correctness, security, and efficiency of $sysname$. Extensive experiments highlight $sysname$'s superior efficiency, with a communication reduction by {$97.61 imes sim 110.13 imes$} and a speedup of {$ 2.72 imes sim 2.82 imes$ (resp. $ 6.58 imes sim 8.51 imes$)} in a LAN (resp. WAN) environment, when compared to the state-of-the-art work.