Take this:

https://xkcd.com/538/

And now encourage people to cut off your thumb

Biometric anything feels weird, being an identical twin. I stick to never using it.

Pragmatically, is that really any different with a passcode? Someone might not be able to physically force an unlock like with biometrics by moving the relevant body part over, but there’s certainly nothing stopping someone from forcing you to unlock your phone if you had a passcode through by duress.

I rather doubt that, if in that kind of situation, there would be many who would resist. Your phone is not worth your life for most.

As opposed to what? What will you use that’s impervious to those things?

it is an oxymoron. Biometrics are the equivalent of a username, not a password.

If I can’t change it once it gets breached (because it will get breached), then it’s not security, it’s a hurdle at best. Biometrics entry isn’t security; it’s convenience.

I don’t use it at all, even with various bank apps and such yelling at me to do so. Yeah, a $2 wrench could still eventually get it out of me, but you can’t just use my face/finger to do so.

For every day use, I use it. It’s convenient.

If I’m traveling or going to a protest, I’ll turn it off. I also make sure I know the ways to disable it.

biometrics are for usernames and not passwords/keys.

Do NOT use biometric unlock in the U.S.

Law enforcement can force you to open the phone vs. requiring a warrant for PIN/Password.

They’re generally a bad idea, especially if you’re a political dissident.

GrapheneOS allows it to not be used as the device unlock, but still use it for other apps once unlocked (such as banking apps).

Device unlock should never be biometric.

I also have data over the usb port disabled unless the device is actively unlocked.

For proper user authentication the model always used to be that the user should present three things: something they were (a username for instance), something they knew (a password), and something they had (a OTP from a device, or a biometric). The idea being that, even if a remote attacker got hold of the username and password, they didn’t have the final factor, and if the user was incapacitated or otherwise forced to provide a biometric, they wouldn’t necessarily supply the password (or on really secure systems, they’d use a ‘panic’ password that would appear to work, but hide sensitive information and send an alert to the security team).

Now we seem to be rushing into a system where you have only two factors, the thing you have, namely your phone, and the other thing you have, namely a fingerprint or your face. Notably you can’t really change either of those, especially your biometrics, so they’re entirely useless for security. Instead your phone should require a biometric and a password to unlock. The biometric being ‘the thing you are’, the phone ‘the thing you have’, and the password being 'the thing you know.

So, yes, I’m entirely against fingerprint unlocking.

The thumbprint and facescan reader on my phone straight up says that it’s not necessarily good enough to distinguish me from family members (especially if we look similar, which we do) when you go to set it up, so I’ve pretty much never used either.

I run GrapheneOS on my phone and reject all biometrics on principle not because I have anything to hide.