Biometrics aren't secrets. It seems like "a good quality infrared image of the target's face" is hard to get right now only because the tech isn't ubiquitous yet. Wait until every website the user logs into has a copy. https://arstechnica.com/information-technology/2021/07/hackers-got-past-windows-hello-by-tricking-a-webcam/
It's strange that we are solving the problem that people use the same passwords everywhere, by replacing passwords with unrevokable biometrics, that *have* to be the same everywhere to work.
I should make clear that "something you are" factors have a place in authentication and an even bigger place in identification, and over time my opinions on where to use it has gotten more nuanced than can fit well on social media.
@kyle yeah, it does indeed seems like an unwise move at its core. A “something you have” that is used exactly the same way everywhere is no better than just leaving everything as a default ‘Welcome123!’ as far as I’m concerned. Convenient and secure are rarely friends, but I do believe there are ways (and I’ve implemented a few) where inconvenience is minimized while security is maximized.
@kyle Passwords aren't being replaced by biometrics though. They're being replaced by cryptographic secrets unlocked locally by biometrics. Which, IMO, is much better than a password for the most common threats.
Is it potentially weaker if you're being targeted in person? Sure. But that's far from the biggest threat most people face day-to-day. (Password leaks from a breach would be one of them; most people's password hygiene is bad enough that that has a huge impact. Cryptographic auth helps.)
@jfred Thanks for elaborating on how it's used in this particular case. In person attacks do seem plausible when you are talking about auth for a local login service. But just like you mention, a *lot* depends on individuals and their particular threats. That's why all the nuance and particulars can't be distilled on social media down to "don't do this" or "always do this."
@jfred For instance, my initial knee-jerk response years ago was to be against biometric auth as a sole unlock factor for phones, but I realized that for many folks PIN or pattern unlock wasn't something they'd actually use. Without biometrics they would opt for no unlock auth at all.
@kyle That’s the thing though. The website is not supposed to have a copy. The biometric data is supposed to never leave your device.