[higherpurpose]

It's much worse for pictures than fingerprints because most people have tons of pictures of themselves online now, and many are also public. It's probably just a matter of time before malicious hackers start spoofing their identities.

[tetraodonpuffer]

don't forget all the ongoing advances in the "here's a bunch of pictures, come up with a 3d model of the person" problem, making the spoofing even easier

[LoSboccacc]

Well we had this idea ten years ago, but the biometric scan was checked for freshness against a database of biometric scans. It was thought for protect the conversation between two leers however and not for blind validation.

The idea to protect against this kind of replay attack was that if the algorithm was unsure of the scan it could request a new one, validate it and present it to the user in case of low confidence biometric match or high confidence forgery: the point being that humans are good at detecting the kind of tampering that could fool an algorithm and vice versa.

This required to send the biometric scan to the peer and to validate it on the other side of the communication channel instead that on the device.

Well, we weren't technically using it as password in the end, I guess I'll have a closer look at what they're doing. And check if that old patent is still good. Eheh not that I have any rights to it left of course.