I should make clear that "something you are" factors have a place in authentication and an even bigger place in identification, and over time my opinions on where to use it has gotten more nuanced than can fit well on social media.

@kyle yeah, it does indeed seems like an unwise move at its core. A “something you have” that is used exactly the same way everywhere is no better than just leaving everything as a default ‘Welcome123!’ as far as I’m concerned. Convenient and secure are rarely friends, but I do believe there are ways (and I’ve implemented a few) where inconvenience is minimized while security is maximized.

@kyle Passwords aren't being replaced by biometrics though. They're being replaced by cryptographic secrets unlocked locally by biometrics. Which, IMO, is much better than a password for the most common threats.

Is it potentially weaker if you're being targeted in person? Sure. But that's far from the biggest threat most people face day-to-day. (Password leaks from a breach would be one of them; most people's password hygiene is bad enough that that has a huge impact. Cryptographic auth helps.)

@jfred Thanks for elaborating on how it's used in this particular case. In person attacks do seem plausible when you are talking about auth for a local login service. But just like you mention, a *lot* depends on individuals and their particular threats. That's why all the nuance and particulars can't be distilled on social media down to "don't do this" or "always do this."

@jfred For instance, my initial knee-jerk response years ago was to be against biometric auth as a sole unlock factor for phones, but I realized that for many folks PIN or pattern unlock wasn't something they'd actually use. Without biometrics they would opt for no unlock auth at all.