[fastball]

Honestly the real problem with security is the whole passcode -> Face ID -> passcode flow.

It is relatively easy for someone to see the passcode that unlocks my phone, in one way or another.

All of my banking apps are locked behind Face ID. But if you lock an app with Face ID, you can just override with the phones passcode. This is dumb.

The app Face ID backup passcode should be separate from the device unlock passcode, or that should at least be an option. Maybe I'm at a party and I want someone to be able to unlock my phone to use Spotify, but I don't want to also give them access to all my banking apps.

[piskov]

The idea of FaceId is to minimize the use of a passcode so that wouldn’t be stolen in the first place.

In if you worry about that, then probably disable faceid for banking apps :-)

Apple also recently implemented optional stolen device protection in faceid settings just for this case: delay is introduced to be allowed to change the password and other related things.

[theshrike79]

And preferably don't have a numerical passcode.

It's really easy to shouldersurf a numerical passcode, the buttons are so big and clearly placed.

It's a lot harder to do with a CorrectHorseBatteryStaple style password.

[pests]

I have witnessed a few banking apps on Android not offer the pin option and also requiring an app-level login again after disabling biometrics.