It exists in Belgium for years, called Tax-on-web... the UX is not fancy but it works pretty well, and you don't have to enter again information that is already known by the Revenue Services
On the other hand, you can't type your fingerprint into a random link that you receive in your email.
I think modern devices that use biometrics to unlock a secret key are different from the old-school case of biometric authentication. If someone is storing a picture of your fingerprint, then of course they can replay that to impersonate you. But that's not what TouchID is doing -- it's just a chip that will only give up the private key if it detects your fingerprint. You have to have physical access to that chip, and a finger analog that will fool the chip into giving up the secret key, and then you can use that key to compromise things. But if you detect that, you just revoke the key, get a new device, and are good to go.
I don't have a great analysis for sudo. You want root on MacOS to do something like install a long-term compromise. Your regular user account already has your GMail session cookie and bank information, so sudo isn't really good for anything else; if you leave your unlocked laptop around somewhere, your Internet life is over. But if someone physically steals your finger so they can gain access to sudo and install a keylogger or something, you already know you're compromised -- your laptop and finger are gone, so you know something's up, defeating the purpose of a long-term compromise.
This attack can't be done remotely; if someone sshs to your laptop and wants to sudo, they can't just take a picture of your fingerprint and upload it... they have to physically touch the sensor on your laptop.
Overall, I think biometrics like TouchID / FaceID / U2F / WebAuthn are strictly better than passwords. They are super convenient. They can be revoked. They can't be phished. That's a huge win over passwords.
How often has your mother given money to someone else who pretended to be you? Because parents identify their children through biometric authentication. They look at you and can in a matter of split seconds verify that you are actually you. Biometric authentication is the oldest and most sophisticated form of authentication. I can enter my work place and nobody asks me to type in a password at the door because the staff can immediately identify my identity by simply validating my face with their own eyes. It's incredible, trust me.
Your mother doesn't view you through a 0.3MP camera in a dimly lit room with no flash when deciding if the person in front of her is her child.
Further, if I take a high resolution photo of you, and then go to your mom and ask for money by presenting her the picture, she won't accept that picture as proof that I am you (although she may suspect I'm blackmailing or otherwise threatening you). This, moreso than qualms about the resolution/quality of the sensor is the GP's point. If the sensors are accurate, that specific set of bits that is translated as your fingerprint will not change. If someone knows those bits, it's extremely likely they can convince the sensor they are you. From our example, once I have your picture, I can tell your mother I'm you--and she'll believe me!
So your qualm is low quality biometric scanning, not biometrics itself? So we agree that biometrics are the most secure form of authentication and we are only debating on the quality of the technology, which we know is getting better day by day, yeah?
> Further, if I take a high resolution photo of you, and then go to your mom and ask for money by presenting her the picture, she won't accept that picture as proof that I am you (although she may suspect I'm blackmailing or otherwise threatening you). This, moreso than qualms about the resolution/quality of the sensor is the GP's point. If the sensors are accurate, that specific set of bits that is translated as your fingerprint will not change. If someone knows those bits, it's extremely likely they can convince the sensor they are you. From our example, once I have your picture, I can tell your mother I'm you--and she'll believe me!
You skipped the second paragraph, so I helpfully requoted it.
