>> But biometrics cannot, and absolutely must not, be used to authenticate an identity.
I understand where the author is coming from, but as someone who did their phd in biometrics it also comes across as a fundamental misunderstanding of what a biometric does. A biometric 100% authenticates identity - even if only used as a username. This is because a biometric is both a username and a password.
> A passwords work by being (a) secret and (b) changable. Your biometrics are categorically not secret and categorically not changable.
Very true, the biometric itself (face, fingerprint, iris, etc) really shouldn't change for it to be reliable. But this doesn't always mean that a picture of your face will automatically allow someone else to gain access in a real world system. Further, even a stolen raw template from a data breach doesn't necessarily guarantee anything.
Currently, I disagree that a biometric should be used in the same role as a password for most applications. Most research is geared toward recognition performance, but comparatively little is focused on system security (such as spoofing). However, i still get uneasy when i see such declarative statements claiming that a biometric can never be a password. Microsoft Windows "Hello" [1] is really the best implementation of what i mean. The user sits down at the computer and the system recognizes them. For consumer applications this is really the goal of any biometric system.
the author assertively states that a biometric does not authenticate identity, so my comment is related to the fact that the purpose is to authenticate identity (not that it will be right 100% of the time - easy to see how that would be confused - probably should have used different terminology)
It never occurred to me how easy it is for a police officer to scan your phone sensor across your finger while physically holding you down. In many places they can't force you to give them your password but this bypasses that.
I understand where the author is coming from, but as someone who did their phd in biometrics it also comes across as a fundamental misunderstanding of what a biometric does. A biometric 100% authenticates identity - even if only used as a username. This is because a biometric is both a username and a password.