The browsers are created to provide some security. That's why the server part is well isolated from the client part and has not access to the client's system. Technically, this is also simple, because Web protocols (HTTP, FTP) only support exchange of data, and actual "action" (such as rendering of page, the request to the user to save content in a file and a lot more) is performed be client code on client side and server-side code on the server side.
If a Web application could execute anything on the client side, who would reasonably trust it? However, such things are possible with IE, but don't consider this information as recommendation: you can do it using ActiveX objects hosted by a browser. Of course, it won't work on all platforms and browsers. This is considered as a security vulnerability and should never be used in almost all cases. If a security-savvy user learns that you use such a dirty trick, such person may decide to blacklist your side, for a good reason.
However, ActiveX approach is used in some special situation. For example, this is the way some PC vendors selling PC's with preinstalled software provides service. Also, some corporate environment use ActiveX inside corporate network only, but to me, even this means using unacceptable and unnecessary unsafe practice, telling me that it was organized in an illiterate way.
[EDIT]
Please see the comments below. Overall, plug-in seems to be a better idea to me: a user can trust your site only (would be good to develop some schema to prevent phishing, which is a separate topic, and enable/disable a plug-in, depending on situation. There is no one universal way of solving this problem: you should learn plug-in techniques for each and every browser you can or want to support.
The root cause and the background for all of the above is this: of course, the face recognition looks like an attractive feature. The problem is: it cannot be universally and safely used until some provision in W3 standards are done. The standards allow to use password authentication to be smoothly added to the site functionality, in part because keyboard input to the browser is its standard feature. Unless camera or, say, voice of fingerprint input become supported by W3 standards, the security based on such input will remain a really questionable business, paradoxically, questionable from security point of view.
Actually, this work is already in progress. Please see the W3C Candidate Recommendation of May 9 2013:
http://www.w3.org/TR/html-media-capture/[
^].
Only when this standard is adopted and the support of it implemented by major browsers, the authentication based on face recognition could be made safely in a 100% legitimate way.
—SA