I'm afraid you're right. I previously thought that my authenticator, Microsoft Authenticator (MSA), was taking advantage of the feature that banking apps use where it could detect that a biometric was updated (Finger added / Face added) and clear stored credentials in that case, meaning that it could only unlock credentials with the actual face that saved them.
Well, I was wrong. Holding my thumb over the face sensors twice yields an "Enter passcode" prompt which unlocks MSA. I assume Google Authenticator does the same. Just reinforces how thoroughly compromised you are if that single 6-digit code gets shoulder-surfed. facepalm
Note: I'm assuming the reason MS and Google made this choice is that since sync was added later (a few years ago for MS and this week for Google), if they did the secure thing which is technically to self-destruct all your keys if you've altered your biometrics, this would mean that a simple redo of your face scan or adding a finger would lose all your TOTPs, because there was not a fall-back password or something that secured those apps.
So I guess perhaps a more secure solution in this situation is 1Password? Because with that, if you can't pass Face ID, you'd have to enter your master 1pw key which hopefully nobody knows or can guess.
I'm afraid you're right. I previously thought that my authenticator, Microsoft Authenticator (MSA), was taking advantage of the feature that banking apps use where it could detect that a biometric was updated (Finger added / Face added) and clear stored credentials in that case, meaning that it could only unlock credentials with the actual face that saved them.
Well, I was wrong. Holding my thumb over the face sensors twice yields an "Enter passcode" prompt which unlocks MSA. I assume Google Authenticator does the same. Just reinforces how thoroughly compromised you are if that single 6-digit code gets shoulder-surfed. facepalm
Note: I'm assuming the reason MS and Google made this choice is that since sync was added later (a few years ago for MS and this week for Google), if they did the secure thing which is technically to self-destruct all your keys if you've altered your biometrics, this would mean that a simple redo of your face scan or adding a finger would lose all your TOTPs, because there was not a fall-back password or something that secured those apps.
So I guess perhaps a more secure solution in this situation is 1Password? Because with that, if you can't pass Face ID, you'd have to enter your master 1pw key which hopefully nobody knows or can guess.