There are a billion iphone users and so far no touchid “data leak” has occurred as far as I know. Not even sure what it would mean, since your face/fingerprints are only stored on device.
But even if I had to setup touchid or faceid every year, hell every month, using it is still a whole lot more convenient (and probably safer) than typing in a password 10 times a day.
you have ten thumbs, that means 8.00000001 more than the average person, that's some high level of security there :D but you're right. I don't understand why face ID is supposed to be secure. Anyone can take and use a picture of you. Same with fingerprints. Some hackers from CCC in Germany detected Angela Merkel's fingerprint from a press photo a few years ago, just to show how easily it can be done. These auth methods all require an extra factor that proves that it's you, in front of the screen, and not someone else, which is then more tedious than entering a password.
creating 3d data from a portrait photo is not that hard... nor is setting up a camera anywhere necessary, to get your face's 3d data. My point is, the "secrets" (your face, your thumb) are out there in the open, and there are a lot of creative ways to steal and store them, unbeknownst of the user. That's not good, if you ask me.
A big difference in the threat model is attack surface:
1. Someone can steal or phish a password remotely from anywhere in the world (see: haveibeenpwned for plenty of known examples)
2. That same someone can make use of a stolen password in most websites and web applications remotely from anywhere in the world
3. Someone else can attempt through distributed brute force to crack a password from anywhere in the world as fast as a given web API will allow them
Versus:
1. Someone can capture your face data from a camera in your physical proximity
2. That someone can use your captured face data to gain access to specific devices only in physical proximity to those devices
3. There is no public API in iOS to try to brute force face data, much less remotely or in a distributed attack (and no currently known CVEs on Apple's Secure Enclave)
That's still an attack surface, certainly, but it's such a much reduced attack surface versus traditional passwords that it is much better for the median and mode threat models of average users.
I can't tell you what your threat model is, of course, and would never suggest that there aren't good reasons to be paranoid about biometric unlocks. What I can encourage: know your threat models. Figure out exactly what it is you are scared of and learn how to defend against it. (I have my own paranoia, but I also learn my mitigations: I use face ID regularly, appreciate its convenience, and I also know that holding the top two buttons [Vol Up and Lock; the "Power" button combo] on an iPhone until the system vibrates is a fast and efficient way to temporarily disable all biometric locks until I next use a device PIN or cloud password.)
There is not only attack surface in the equation. I guess the basic calculation is something like:
(attack risk x attack surface x attack damage) - (security costs) must be greater than 0.
The damage you get when your security token is a piece of immutable data is relatively high. With a mutable password caught by phishing, you can retain/recover your accounts / machines and data and hopefully just clean them up. Breach closed. With immutable 3d data of your face... what do you replace it with, once it got stolen / reverse engineered?
I'd also like to point out that attack surface may be higher than you think for face recognition. The attack vector for any of your online accounts is ... your public profile picture.
I think your points are valid points regarding the current situation. However, I think that some practical and low-entry barrier automation around passwords and TOTP would be far more secure than biometrics.
There are even more creative and common ways to make someone reveal their password, unbeknownst to them. Just good old phishing! Actually that’s demonstrably more probable than your face or thumb print getting stolen.