Comment by customguy
2 days ago
Never trust user input. The users already can't modify the server.
And what actual applications did you have in mind that warrant throwing everybody under the bus? (by that I mean some applications (allegedly) need it, so it gets forced on everyone)
My banking app already trusts Face ID right now!
And how is that necessary? It's a convenience feature, nothing more. You might as well trust your bank with your biometric data directly, and leave me and others out of it either way. Even IF there was a real need for a mobile device with which general computing is not possible, that would not justify killing it everywhere just so people who do need it can "just use their phone".
That the laziest of us don't mind and the worst of us want something is not a respectable argument for anything, ever.
So first of all, usability features are security features. There is the classic example of an uncrackable 18 character random password string that only results in frequent password reset attempts and the bank’s support staff getting totally overwhelmed.
We can have a discussion about FaceID specifically, but “convenience” is not considered trivial within the security sphere.
Second, I work for a (very large) bank, and you actually do not want to trust them with your biometric data directly. You can be absolutely assured of the privacy of your biometric data with the bank, better than with a Silicon Valley tech company. But I would not trust the bank’s data scientists to come up with a model that will not have an extremely high rate of false positives and negatives.
The reality is, if such an initiative was started at a bank, it would be shuttered after years of delays.