For most people living in a western democracy, this is a pretty minor consideration to their threat model.
Most people default to what is easiest. Before TouchID, most iPhone users did not lock their phones with a password. Making biometrics readily available and default means more people are walking around with more secure devices than would be if we only encouraged people to use the absolute most secure options available.
The actual exchange with the server is using public key cryptography. How you unlock the key material locally could be a number of ways: PIN, password, fingerprint scan, voice recognition, etc
I think the main problem I’m never buying into Fido keys anymore is that mine point blank stopped working and I had to sweat to get back in website that supported it, hopefully back then not many, but if identity is the responsibility of a close piece of hardware if it breaks you’re out
The litigation on that matter is ongoing. What you said is not true right now. If you try to fight an order for your password, you'll wind up in court and probably lose, and then have to chose whether to act in contempt.
> Passcodes can therefore be compelled if their existence, possession and authentication are "foregone conclusions," the court said in the August 2020 ruling, determining the 5th Amendment's foregone conclusion exception applied in the case.
You can be compelled by the court to divulge passwords. It's one of those areas of interpretation of law and there's precedent against it as can be searched for.
For apple devices the keys are stored in a secure element. You need your password to access when booting, or after certain timeouts. Until then you can’t use faceid/touchid
Yes I get that but I think OIDC could be extended to cover that too whereas the Authenticator or iDP is the local face scanner kr other biometric and then the rest ie exchange of token etc stays the same. That way there won’t be two completely separate path and that will defeat the purpose of SSO. And it looks like there are already some implementation of this https://www.bioid.com/facial-recognition-app/
Most people default to what is easiest. Before TouchID, most iPhone users did not lock their phones with a password. Making biometrics readily available and default means more people are walking around with more secure devices than would be if we only encouraged people to use the absolute most secure options available.