Biometric data should be considered identity and not authentication data. They can never be revoked or rotated for one. And who knows how many people have it on file. Not every auth server gets their own « key »
Makes sense. The principle of 2FA is to combine 'something you know' (a password) with 'something you own' (your phone). I guess the biometric lock is 'something you are' on top of that.