Biometrics aren't secrets. It seems like "a good quality infrared image of the target's face" is hard to get right now only because the tech isn't ubiquitous yet. Wait until every website the user logs into has a copy. https://arstechnica.com/information-technology/2021/07/hackers-got-past-windows-hello-by-tricking-a-webcam/
It's strange that we are solving the problem that people use the same passwords everywhere, by replacing passwords with unrevokable biometrics, that *have* to be the same everywhere to work.
@kyle Passwords aren't being replaced by biometrics though. They're being replaced by cryptographic secrets unlocked locally by biometrics. Which, IMO, is much better than a password for the most common threats.
Is it potentially weaker if you're being targeted in person? Sure. But that's far from the biggest threat most people face day-to-day. (Password leaks from a breach would be one of them; most people's password hygiene is bad enough that that has a huge impact. Cryptographic auth helps.)
@jfred Thanks for elaborating on how it's used in this particular case. In person attacks do seem plausible when you are talking about auth for a local login service. But just like you mention, a *lot* depends on individuals and their particular threats. That's why all the nuance and particulars can't be distilled on social media down to "don't do this" or "always do this."
@jfred For instance, my initial knee-jerk response years ago was to be against biometric auth as a sole unlock factor for phones, but I realized that for many folks PIN or pattern unlock wasn't something they'd actually use. Without biometrics they would opt for no unlock auth at all.
