At least it was the finger print scanner and not your finger that needs replacing. Biometrics as an EXTRA layer of security, on SHARED devices, makes sense. As a convenient replacement for passwords, on a personal device, net negative.
This is completely out of touch with the reality of the average user. The main causes of account theft continue to be phishing and data breaches which are easily exploited because most people reuse their passwords and will never stop doing so to use a password manager. Biometric passkeys are probably the only viable way to improve the situation.
Really? What about phone theft? If someone sticks you up and knows all it takes is your finger to unlock the phone, I would think they would be more tempted to do so, as it takes more or less the same level of coercion as taking the phone. And it's easier than fumbling around with a password... therein is the double edged sword...
Demanding a password introduces more error and more room for evasion than a finger, which as I said is about the same as getting the phone in the first place. You are right that in some, maybe even most cases, it may not make a difference. But when time is of the essence, additional obstacles are often simply avoided.
You also might ask who is sticking you up. For example, I believe there is fourth amendment literature re government officials that have gotten away with using an arrested persons biometrics to unlock a phone, in a manner in which compelling the release of a password would be illegal. Put another way, I can simply grab your finger or put your phone in front of your face, whereas beating you until you surrender your password is a lot harder to accomplish without creating additional consequences.
Still depends on your threat model. Not everyone lives in a place where stick-ups and random arrests are so common place that you want to inconvenience yourself 99.999% of the happy flow.
Indeed, good point. Proper threat modeling is everything.
This also explains my original reply to the ancestor comment. As I see it, most people's personal threat model essentially already accounts for data breaches to the point that they are almost irrelevant. We hear about them all the time. More and more people are learning about credit freezes or 2fa or just getting these services baked into things they already use (more banks offer free credit monitoring, 2fa is increasingly a standard). It seems like we are in a place where data breaches just become essentially background noise to the average user.
In my view then, I would personally factor in physical theft as a higher threat than "phishing and data breaches". Even if low probability to begin with.
There is also the objective question of which occurs more or incurs more damages to individuals, the answer to which I do not know. I know companies often spend a lot of money to fix problems or deal with lawsuits, but individuals don't really get compensated by that the way they would if someone who ripped your phone away from you was tackled to the ground and your property got returned. For example.
As you say though, the threat model is everything.
You've been trained to think it's a viable alternative to passwords. It's seems you even think it's "better". Little children can figure out how to bypass it on their own, and they don't even need to be especially clever. Hopefully you never have to learn first-hand the other ways it can make an already bad situation even worse.
