The gold standard is providing something you know (a password) alongside something you have (an OTP or fingerprint). This is two-factor auth in a nutshell.
using your face, fingerprint, or PIN
You leave fingerprints and images of your face everywhere you go; and in the case of someone spoofing those, there is zero way to change either. Such public information is not the foundations of a secure system.
And a PIN is just a shorter, shittier password. Why the hell would we replace a normal password with the least secure, most shitty version of a password?
The whole idea is about moving to passkeys, which are like super passwords unique to a device. The face/finger/pin is the second Auth to use the passkey.
Not saying this is good or bad, but msoft does have an faq about passkeys
The major thing I still don’t understand is, without a password, how do you authenticate people who lost access to their device/passkey.
Easier passwords are often better, since people are less likely to try to get around them
Pins are basically simple passwords that fingerprint your device to decide when it needs another auth method
It’s not a bad idea, in theory at least
