||Biometric authentication systems, based on secret key generation, work as follows. In the enrollment stage, an individual provides a biometric signal that is mapped into a secret key and a helper message, the former being prepared to become available to the system at a later time, and the latter is stored in a public database. When an authorized user signs in with some identity, he/she has to provide a biometric signal again, and then the system retrieves the helper message of the claimed subscriber and estimates the secret key, which is compared to the secret key of that user. In case of a match, the authentication request is approved, otherwise, it is rejected. There is an inherent tension between two conflicting properties of the helper message encoder: on the one hand, the encoding should be informative enough concerning the identity of the real subscriber, in order to approve him/her in the authentication stage, but on the other hand, it should not be too informative, as otherwise, unauthorized imposters could easily fool the system. A good encoder should then trade off two kinds of errors: the false reject (FR) error and the false accept (FA) error. We investigate trade--offs between the random coding FR error exponent and the best achievable FA error exponent. We compare two types of ensembles of codes: fixed-rate codes and variable-rate codes, and we show that the latter class provides considerable improvement compared to the former. In doing this, we characterize ensemble-optimal rate functions for both types of codes. We also examine the effect of privacy leakage constraints for both fixed-rate codes and variable--rate codes.