[pmontra]

My country has my fingerprints because I have an id document like everybody else.

A number of states around the world have my fingerprints too because I entered those countries as tourist and I had to put at least one finger on a reader.

Maybe some country included mine also have my retina scan, I had to look into some cameras sometimes.

All those biometric information could be leaked, sold by corrupt civil servants or exchanged with other countries so random passwords generated by a password manager protects me more than biometric information. Am I wrong?

Of course some site could store and share with whoever they want my cleartext password before hashing it but I use one different password per site.

[gruez]

>All those biometric information could be leaked, sold by corrupt civil servants or exchanged with other countries so random passwords generated by a password manager protects me more than biometric information. Am I wrong?

I know of zero biometric implementations where your biometric data is uploaded to the server for verification. All the biometric implementations I've seen (windows hello, icloud passkey) perform biometric checking on device and send cryptograms to the server, which would be as secure as random passwords.

[tsimionescu]

The point is that the raw unencrypted "secret" - your actual fingerprint or retina print - is directly collected for various purposes by various agencies, which can easily leak it.

However, even worse than that, your fingerprint in particular is something you leave literally everywhere you go. There was even a demonstration of someone copying Gerhard Schroeder's (German PM) fingerprint from a still photo of him from a bottle he had touched, and then creating a mold which fooled a sensor they had access to.

[alcover]

I think user pmontra meant that biometrics recorded by authorities could leak then be used to log in as you in your devices/services.

[gruez]

>then be used to log in as you in your devices/services.

That requires you to get physical access to the device, which puts the attack in an entirely different realm than just "password cracking".

[pmontra]

I'm sure that there are plenty of nasty scenarios.

This is one.

1. The attackers create my.name@somedomain.com / my.name.12345@gmail.com and/or use a throw away phone number (especially if the email provider uses some 2FA linked to a phone.)

2. They register an account on a web service using that email or install an app on that phone, maybe a virtualized one. Upload a picture of me as icon or fake one.

3. Use my fingerprints on their phone to get through any possible biometric 2FA.

4. They are me.

If they find a way to automate all those steps or make the labor costs small they can register a lot of bots that are real people, because 2FA says so. It's up to their imagination to find a way to profit from that.