[akira2501]

> a biometric is _both_ a username & password

It's just a username. As implemented the systems only require a username. It's also not even that, it's a temporal identifier, as faces change, sometimes in ways that we all expect and sometimes, not. To the extent that we've even performed facial transplants in response to some of these cases.

If biometrics were going to work, we'd be using fingerprints already. For all the same reasons we don't use fingerprints, we won't be able to use facial identification.

[drdaeman]

It's not "just" a username, in a way that I can type arbitrary username easily, but spoofing biometrics is somewhat harder, at least in a controlled environment. And that's the only reason why it's used - it is essentially a replacement for situations such an agent quickly checking a photo ID (low-effort high-volume quick-and-dirty weak authentication).

Not that I'm fond of this, just saying that it's not exactly just an username.

There is no culture of using secrets for authentication in any public setting. It all had always relied on biometrics, since times immemorial (people knowing how one looks like, then scaled up with printed documents, now scaled up again with machine-assisted recognition). Essentially, with some exceptions like high-security facilities, people had always relied on their public identities (self-asserted or asserted by a trusted third party, depending on the requirements) to get access.

[alistairSH]

And not even a unique user name. Twins and other relatives can pass for each other.

[JohnFen]

And with facial recognition, two people don't even have to be related. I knew a guy who looked so much like me that he grew a mustache purely so that our own friends could tell us apart (which is how I know I look terrible with a mustache). There's zero chance that facial recognition could distinguish us.

He and I weren't even remotely related.

[spullara]

there was also zero chance a TSA agent could distinguish between you either though

[wnoise]

Which means a second factor is needed -- and we already have IDs.

[eichin]

you can't change it, it's not a password (though the mustache example in this thread is an amusing/distressing counterpoint :-)