> Bio-metrics are just convenient because they are unique and hard\impossible to replicate.
But if your biometric is able to be faked, you can't change it like you can change a typical text based password. There's no "reset your password" equivalent for biometrics.
Let's ignore the part about biometrics being faked since this seems to be a point of contention.
Isn't it a fair argument that secret keys should be mutable by the user? In the future, some unforeseen event COULD occur which compromises or otherwise renders the particular biometric unusable. Now what?
But they are... Firstly, with how it works. even if you use the same finger to generate hundreds of keys, they should all be different because we are using noise\randomness within the algorithm itself. different sensors will generate different outputs and therefore it is pointless to worry about the key used stolen.
I think what you want is secret keys completely detached from the user. we have that as well with hardware tokens.
Once they have a way to fake your biometric though they have it for forever, that's the point. With a password you have a way to provide a key only known to you and while it can be faked, it can also be reset, you can't reset your fingerprint without surgery
I mean you don't have to give it away if you think Google is storing databases of fingerprints for the lizard masters to track you down.
FIDO simply wants to make authentication stronger, you can use hardware keys that have a key burnt into them which is unique and much harder to brute-force than passwords.
Again according to how biometrics are described in whitepapers\industry, we extract features from the fingerprint\face sometimes very little compared to the actual biometric and use it to derive a key.
that key cannot be reversed to get the original features and different algorithms use different features.
> that key cannot be reversed to get the original features
"As a result, the early common belief among the biometrics community of templates irreversibility has been proven wrong. It is now an accepted fact that it is possible to reconstruct from an unprotected template a synthetic sample that matches the bona fide one."
-- Reversing the irreversible: A survey on inverse biometrics
"from an unprotected template" do you even read?
stop trying to find some random internet page to justify yourself, have you ever seen a biometric implementation? I have.
Well it depends on how you define replicate, I'm not aware of a technology that can perfectly recreate someone's face\fingerprint.
a photo\mask isn't perfect and actually in some instances they fail to work vs sensors because of that.
It is more of a question of how robust is the authentication method.(can a photo\mask fool it? which can happen sometime but usually require pretty high quality sample)
But if your biometric is able to be faked, you can't change it like you can change a typical text based password. There's no "reset your password" equivalent for biometrics.