It is not sophistry, and sophistry is not a word I've ever seen used in a genuine conversation, so I immediately doubt your sincerity in this conversation.
If someone wants to fake biometrics on an iPhone, they have a very limited window of time to do so, and the user can lock out the biometrics in less than 3 seconds just by "squeezing" the phone. (power button + either volume key, 2 seconds later the biometrics are locked out.)
It's much harder to fake the biometrics in that very brief window of time (maximum 48 hours) than it is to shoulder surf a password.
Unless your threat model includes State Level Actors, biometric bypass is a very remote concern.
If your threat model includes State Level Actors, you're probably screwed either way, since they can easily afford to shoulder surf you.
For everyone else, the main concern is that someone not physically present will manage to acquire your password and log into your services. Passwords suck at this threat model. FIDO2 makes this scenario impossible without that remote person managing to execute a Secure Enclave 0day on your personal device... and even then, it's still way harder than acquiring your password. Not even the website you're authenticating against receives your FIDO2 key... websites always receive your password, which is awful for security.
Sure it was - sophistry is pretended an issue is simple by (deliberately) ignoring alternatives.
If biometrics are fallible, it matters zero how secure the digital system behind it is. That's obvious, and a comment belaboring the digital security is beside the point.
As for how hard to spoof, just google it. There are dozens of folks with techniques and hacks right now. It'll only get worse.
You are the one using sophistry, if anyone is using it. You are completely (and willfully!) ignoring how vulnerable passwords are in any threat model that invalidates a FIDO2 implementation of Face ID. No threat model invalidates the security of Face ID for the Web without similarly invalidating passwords. At least, you have chosen not to present such a threat model, which would help my (apparent) failure of imagination.
You cannot protect your passwords from someone who would physically take your iPhone before you can lock it and who would have a life-size reconstruction of your face ready and waiting. Such a person could shoulder surf your passwords with far less effort, or compromise one of the dozens of websites the average user re-uses their passwords on. At a certain point, the person in this threat model will just pull out a wrench and beat you with it until you help them get into your account. https://xkcd.com/538/
If you can show how some random person on the other side of the internet having your fingerprint helps them get into a website using your account... that would be interesting discussion. As it is, they must have physical access to your device. Your biometrics are useless without physical access and rapid action, since the biometrics quickly become useless as the device falls into a state that requires the user's passcode.
You're completely ignoring everything I actually said in my comments, so I'm done here.
Corroborating you point: Safari on iPhone will autofill passwords with just a biometric, so if you have an unlocked iPhone and a clone of the user's biometric, you can access websites and potentially even change their passwords. If it's timed out or user deliberately disabled the biometric, then you will need the passcode to be able to access anything.
If someone wants to fake biometrics on an iPhone, they have a very limited window of time to do so, and the user can lock out the biometrics in less than 3 seconds just by "squeezing" the phone. (power button + either volume key, 2 seconds later the biometrics are locked out.)
It's much harder to fake the biometrics in that very brief window of time (maximum 48 hours) than it is to shoulder surf a password.
Unless your threat model includes State Level Actors, biometric bypass is a very remote concern.
If your threat model includes State Level Actors, you're probably screwed either way, since they can easily afford to shoulder surf you.
For everyone else, the main concern is that someone not physically present will manage to acquire your password and log into your services. Passwords suck at this threat model. FIDO2 makes this scenario impossible without that remote person managing to execute a Secure Enclave 0day on your personal device... and even then, it's still way harder than acquiring your password. Not even the website you're authenticating against receives your FIDO2 key... websites always receive your password, which is awful for security.
Some related info here: https://news.ycombinator.com/item?id=24830642