Even then you still have problems with revocation.
If someone steals my passport, i tell the gov and they cancel the old one. If someone steals your fingerprint, you are just screwed.
There are some systems that verify things like bloodflow to ensure that the finger belongs to a live person instead of a cut-off hand. However then you end up having the problem of needing to trust hardware, which is fine for an iphone unlock feature but not so fine for this magical decentralized web3 stuff.
It's fine to trust hardware if you, as a party who performs the check, installed and paid for said hardware. The problem comes when somebody else has to judge whether you performed the check correctly and trust you.
I think fundamentally the issue is you can't create trust out of nothing. Once you have something you trust, you can use cryptography to extend that trust in all sorts of complex ways. However you always need a starting point to bootstrap the system.
I feel like there is a big connection between this problem and trying to prove things in pure logic.
PKI is basically starting from axioms (i trust the following CA's as a starting point)
Biological credentials could work even without revocation if you use a lot of them simultaneously.
It would be like asking for many usernames that are semi public instead of a username and password.
e.g. multiple fingerprints plus iris scan plus voice print plus facial scan.
So even if a few get stolen and successfully replicated somehow to fool the system into thinking it's a living person, it still won't be enough to steal the identity.
If someone steals my passport, i tell the gov and they cancel the old one. If someone steals your fingerprint, you are just screwed.
There are some systems that verify things like bloodflow to ensure that the finger belongs to a live person instead of a cut-off hand. However then you end up having the problem of needing to trust hardware, which is fine for an iphone unlock feature but not so fine for this magical decentralized web3 stuff.