That's sophistry. The fact is, the laptop is 'secured' by biometrics, which can be spoofed. Having a key-to-the-key is not safe if the biometrics are not safe.
It is not sophistry, and sophistry is not a word I've ever seen used in a genuine conversation, so I immediately doubt your sincerity in this conversation.
If someone wants to fake biometrics on an iPhone, they have a very limited window of time to do so, and the user can lock out the biometrics in less than 3 seconds just by "squeezing" the phone. (power button + either volume key, 2 seconds later the biometrics are locked out.)
It's much harder to fake the biometrics in that very brief window of time (maximum 48 hours) than it is to shoulder surf a password.
Unless your threat model includes State Level Actors, biometric bypass is a very remote concern.
If your threat model includes State Level Actors, you're probably screwed either way, since they can easily afford to shoulder surf you.
For everyone else, the main concern is that someone not physically present will manage to acquire your password and log into your services. Passwords suck at this threat model. FIDO2 makes this scenario impossible without that remote person managing to execute a Secure Enclave 0day on your personal device... and even then, it's still way harder than acquiring your password. Not even the website you're authenticating against receives your FIDO2 key... websites always receive your password, which is awful for security.
Sure it was - sophistry is pretended an issue is simple by (deliberately) ignoring alternatives.
If biometrics are fallible, it matters zero how secure the digital system behind it is. That's obvious, and a comment belaboring the digital security is beside the point.
As for how hard to spoof, just google it. There are dozens of folks with techniques and hacks right now. It'll only get worse.
You are the one using sophistry, if anyone is using it. You are completely (and willfully!) ignoring how vulnerable passwords are in any threat model that invalidates a FIDO2 implementation of Face ID. No threat model invalidates the security of Face ID for the Web without similarly invalidating passwords. At least, you have chosen not to present such a threat model, which would help my (apparent) failure of imagination.
You cannot protect your passwords from someone who would physically take your iPhone before you can lock it and who would have a life-size reconstruction of your face ready and waiting. Such a person could shoulder surf your passwords with far less effort, or compromise one of the dozens of websites the average user re-uses their passwords on. At a certain point, the person in this threat model will just pull out a wrench and beat you with it until you help them get into your account. https://xkcd.com/538/
If you can show how some random person on the other side of the internet having your fingerprint helps them get into a website using your account... that would be interesting discussion. As it is, they must have physical access to your device. Your biometrics are useless without physical access and rapid action, since the biometrics quickly become useless as the device falls into a state that requires the user's passcode.
You're completely ignoring everything I actually said in my comments, so I'm done here.
Corroborating you point: Safari on iPhone will autofill passwords with just a biometric, so if you have an unlocked iPhone and a clone of the user's biometric, you can access websites and potentially even change their passwords. If it's timed out or user deliberately disabled the biometric, then you will need the passcode to be able to access anything.
That's you not understanding the security model, not sophistry. The application is granting access based on a public-key exchange, which the key stored in a hardware store which cannot be retrieved even in the event of a system-level compromise[1]. The remote application does not see the biometric data or even know that it was involved in the process.
It's also important to note that this does not mean anyone who grabs a laptop gets access to everything. The device still uses a password to unlock — you're forced to enter the password on boot before you can use biometrics later — and someone who stole an unlocked laptop could, for most users, have auto-fill supply the passwords _except_ on devices with biometrics which usually require that check every time (as iOS users have been reminded in this year of mask wearing).
So let's walk through some common threats:
1. Password re-use: a major source of compromises, blocked by this system
2. Phishing: a major source of compromises, completely blocked by this system
3. Compromised email: also popular, blocked by this system except for the services which allow email-based MFA resets, in which case it'd be the same as a password.
4. Local system compromise (user or root-level): passwords are vulnerable, biometrics present a barrier when the attacker can't just do something like reuse the credentials stored in your browser's cookie store. Biometric data and FIDO keys cannot be extracted.
5. Stolen device, locked: both are probably secure as long as you don't have your password taped on the keyboard
6. Stolen device, unlocked: passwords are vulnerable if you have a password manager which doesn't require e.g. FaceID checks (which is what Safari does on supported devices), FIDO MFA is not usable if Touch ID or Face ID is configured. Biometric data and FIDO keys cannot be extracted.
