The truth is though that everyone is using biometrics to log into their device which controls everything from emails, to password managers and 2FA codes. Does it mean if your fingerprint gets compromised that you'll be unable to use the biometric feature of any device for the rest of your life?
It's a good point which you raise, but ultimately biometrics will be the best way to authenticate someone. It might have to evolve and get smarter and better, but one day if someone is able to reproduce all your unique attributes of who you are then nothing will probably hold them back to reset your password manager, email and what not either. They will socially engineer whatever they need and even when a human will verify that you are you they will probably be able to provide enough believable evidence at which point it doesn't matter anymore if they hacked a biometric login or socially engineered your password manager.
> The truth is though that everyone is using biometrics to log into their device which controls everything from emails, to password managers and 2FA codes. Does it mean if your fingerprint gets compromised that you'll be unable to use the biometric feature of any device for the rest of your life?
No, because the device is only using that to protect local storage and anything which leaves the device is using strong keys which can be rotated. If they don't have the device, the fingerprint doesn't matter. If they do have the device (and are within the timeout period, etc.), it's like any other credential compromise: you get a replacement, rotate passwords, etc. but the replay value is sharply capped because at no point is a network service depending on the component which can't be changed.
(If you have an attacker who gets a scan of your fingerprint/face and keeps stealing phones you need a restraining order; that's reasonably outside of the threat model for consumer devices)
This is also important since there's a subset of users who won't be able to use biometrics for some reason and the decoupled approach avoids making it impossible for them to use.
> Does it mean if your fingerprint gets compromised
Technically, your fingerprint is probably already compromised, just nobody's bothered to put the pieces together yet because you're not a high-enough value target.
Check out some of the CCC conference videos on youtube, where they show how easy it is to reproduce someone's fingerprints to fool most biometrics.
However, once it becomes possible to do this at a low enough price point, that's when it realistically becomes a problem for the majority.
> The truth is though that everyone is using biometrics to log into their device
Not to be pendantic, but not _everyone_ uses biometrics to log into their device, either due to lack of hardware or due to lack of trust in said hardware.
>Does it mean if your fingerprint gets compromised that you'll be unable to use the biometric feature of any device for the rest of your life?
No, it just means that it shouldn't be treated as a password in a username+password setup. It's still perfectly usable for a MFA setup.
>if someone is able to reproduce all your unique attributes of who you are then nothing will probably hold them back to reset your password manager, email and what not either
This is exactly why everyone really ought to be using MFA - biometrics are a good identifier and are strongest in conjuncture with a knowledge or physical-item-based authentication. These too can be defeated, but having to nick a physical object, trick the user into revealing a password or similar knowledge-based key, and reproducing a fingerprint/facial/retinal/whatever scan is much more time-consuming.
It's a good point which you raise, but ultimately biometrics will be the best way to authenticate someone. It might have to evolve and get smarter and better, but one day if someone is able to reproduce all your unique attributes of who you are then nothing will probably hold them back to reset your password manager, email and what not either. They will socially engineer whatever they need and even when a human will verify that you are you they will probably be able to provide enough believable evidence at which point it doesn't matter anymore if they hacked a biometric login or socially engineered your password manager.