[wahern]

At least for Apple's system, biometrics aren't used server-side. Biometrics are used to authenticate to the local system (e.g. your laptop or phone) and authorize use of a local private ECC key for further authentication to other services. The T2 secure enclave mediates all of this. The private ECC key never leaves the T2 chip. Biometric data is never stored unencrypted outside the T2, although like a password may be susceptible to capture when input. (The fingerprint scanner might be hooked up directly to the T2 chip, though, in which case attackers would need to resort to more direct methods for capturing fingerprints.)

[paulryanrogers]

Is the Apple key unchangeable or a one time key? Because if the former then it's still a problem once know publicly.

[wahern]

Do you mean the private ECC key? I don't know the specific details of the system, such as if or when a specific device key used for iCloud enrollment can be rotated. (I have no specific familiarity with Apple's iCloud or device management code, I'm just familiar with publicly known details of the T2, and also familiar with the macOS/iPhone Keychain APIs for generating and using T2 keys.)

But in case it wasn't clear: it's not an API key, but a public/private ECC P-256 key pair used for ECDSA signing. Apple only knows the public key (it doesn't much matter if the whole world knows the public key), whereas the private key never leaves the T2 chip. If any secrets have been exfiltrated from the T2 enclave there are bigger problems at hand, and generating a new key pair would be useless before fixing those problems.