Everyone has fingerprints!
The BBC has a grim tale of a family with a genetic mutation which means they have no fingerprints. It details the issues they have getting official ID.
In 2010, fingerprints became mandatory for passports and driver's licences. After several attempts, Amal was able to obtain a passport by showing a certificate from a medical board. He has never used it though, partly because he fears the problems he may face at the airport. And though riding a motorbike is essential to his farming work, he has never obtained a driving licence. "I paid the fee, passed the exam, but they did not issue a licence because I couldn't provide fingerprint," he said.
The family with no fingerprints
Even if this genetic issue didn't exist, it should be obvious that not everyone has fingers, or hands. Some people are born without hands, some people lose them later in life.
Policy is about the edge-cases. It's easy to design something which works for the majority of people - the real challenge is how we deal with the fringes.
Everyone has a unique face / unique DNA
Ever heard of twins, dumbass?
OK, it is a little bit more complicated than that.
It is easy to revoke a biometric indicator
Even if you assumed that everyone has ten fingers - that means you can only change your ID 9 times. If you're using iris recognition, that's one change you're permitted before you have to grow new eyeballs.
Biometrics can't be copied
Back in 2002, Tsutomu Matsumoto copied fingerprints using Gummy Bears.
Researchers can consistently fool iris scanners
The thing about biometrics is that they are not secret. You leave your fingerprints everywhere. If a camera can read your face, it can copy your details.
Biometrics can't be changed
Will having a "nose job" stop your iPhone from recognising you? Probably not. But there are a range of surgical procedures which can be done.
Oh they did. I have formal letter stating that I might not pass biometrics anymore. 😂
— Charlie Don't Surf (@sonniesedge) December 3, 2020
What are they good for?
Biometrics are not passwords. Nor are they a universal 2nd factor. Biometrics are, at best, usernames.
For the average user, it's probably fine to use your fingerprint or face to unlock your phone. If you think an enemy state is going to devote considerable resources to steal copies of your biometrics, consider changing to a different password mechanism.
Or, if you have kids.
Friend's 5-year old daughter started unlocking his phone with his fingerprint while he's asleep so that she can play games.
He now sleeps with gloves on. #lifeisblackmirror
— Pushkar (@Pushkarr) September 24, 2018
Or if you're cheating on your spouse.
A Qatar Airways pilot was forced to make an emergency landing after a passenger found out her husband was cheating on her and had a violent reaction in midair.
The woman reportedly used her sleeping husband's finger to unlock his phone and discovered his cheating ways.
In a safe-ish environment, biometrics are a good convenience mechanism. If your phone is snatched by an opportunistic thief, they're unlikely to have the means to spoof your ID.
But they are not a perfect security measure.