You don’t even need to slice, just manhandle. It’s easy and mechanical, can be done in a few minutes in a dark alley. Whereas a code, any code, requires a degree of cooperation that the individual can choose never to grant.
(Obviously a lot of people will grant it, but a sufficiently motivated person - human-rights activist, political dissenter, journalist, etc etc - might not)
If we’re getting that deep into the hypotheticals, couldn’t said person just not set up biometric logins?
For the rest of us where physical coercion to unlock the phone isn’t in the threat model, it really does improve on the trade offs between security and convenience.
Feels disproportionate to say we should not do the latter because of the former.
Your threat model likely involves simple robbery; making you “look here” is quick and painless, and increases the loot value significantly. And yes, biometrics in general are not good. The best protection remains a pin or passcode.
Pickpocketers minimize any physical contact. Biometrics protect against them. PINs do not. Anecdotally I know about an iPhone that got unlocked after a theft at a party. It was protected by a PIN. The owner thinks that the pickpocketer learned the PIN by looking over his shoulder.
On the other side burglars can get into a house and force people to unlock their phones or reveal their passwords, if they care to. There is no protection against that unless those people value their secrets more than the harm the burglars will do to them.
We're not talking about the same adversaries here. If the police unlock people's phone by pointing it at their face it'll be done with impunity and in a widespread manner. Less so if they start cutting off fingers.
In the U.S. at least, passwords are protected under the 5th amendment but you can be ordered to unlock a phone with a fingerprint or a face since it's something you are and not something you know.
This is not the case, at least, the law is not very settled in that direction. There has been at least one famous case [0] where an appeals court found that a defendant could be help in contempt of court and imprisoned for refusing to provide his password.
State actors would have zero issues lifting a fingerprint off a phone, then making a prop for the sensor. Alternatively all they need is a minor tranquilizer and there you go, provided the human asset is available.
Sorry I was unclear, I meant "cutting fingers" as an example of torture meant to extract passwords, not in the sense that they'd use the finger to unlock the phone.
Face-ID and fingerprints share the same issues compared to a password.
People resist torture all of the time. The problem with torture is that there's often little reason to think that the torture would end if you give up the password, other than the word of the torturer.
(Obviously a lot of people will grant it, but a sufficiently motivated person - human-rights activist, political dissenter, journalist, etc etc - might not)