It seems to be an interesting project, although almost no information is provided.
There is a requirements list ready? How about a basic design?
Sometimes to have a not so developed project could be a blessing, because you can include the security dimension from the first project stages. And this is CRUCIAL when you are trying to work with biometric data. In fact, personally I prefer not to use that type of information if the system does not has a top-level security implementation. Why?
Tokens and NONCES are easy to use and discard, the same as traditional passwords. You can use, change, and trash them and nobody will suffer because of that. However, depending on how you acquire and store the biometric data, a bad design could damage forever the life of your customers. Because they can’t replace their fingerprints, faces, etc., and if somebody else can synthesize the biometric matrix then will replace the people identity forever in any other system.
The other possible problem is what is sensitive information, where it is located, how it is translated and if there is any derivation located in any type of temporary location. You can’t leak data in this type of systems. Did you make any type of risk analysis?
A final comment is about Java itself and how the platform work the mutability of data. This is my main reason for not to work security systems with Java, because the data traveling through the platform it is not well protected and there is no clear method to create mutable data storage (that it is needed to overwrite passwords and/or biometric data in the acquire phase). Why this must be done with Java? In what hardware platform it will be executed? … Why?
Have a nice day :-)