You are not wrong, but you we should understand what class of attacks we are protecting against. Will biometrics stop your maid from using your device? Probably less. Will it stop the FBI? Not so sure.
Now, you may say, an FBI raid is not what you worry about on a daily basis. Agree.
If you are trying to keep the photos on your device safe from snooping, your good. Attacker needs the device and your fingerprint.
When we talk online accounts, I’d count device+fingerprint as one factor. Sure, the maid from the example above can’t login into your gmail without your fingerprint, but most attacks are online. Your device sends a token to gmail, a cookie, a String; that’s like a password. One factor.
Technically, it’s slightly better than a password, because this token can be short-lived (although often it’s not), could be cryptographic signature to be used exactly once (although…), you cannot brute-force guess the token… But IF the token leaks, the attacker has full access (or enough to cause damage).
That’s why I would suggest an independent second factor, such as password. Yes, a password. Not for your daily routine (biometrics+device is much better), but maybe for high-risk operations.
Biometrics are two factor, because you need the fingerprint and the device they unlock.
You can’t use the device without the fingerprint and you can’t take someone’s fingerprint then use them from a different device.
You are not wrong, but you we should understand what class of attacks we are protecting against. Will biometrics stop your maid from using your device? Probably less. Will it stop the FBI? Not so sure.
Now, you may say, an FBI raid is not what you worry about on a daily basis. Agree.
If you are trying to keep the photos on your device safe from snooping, your good. Attacker needs the device and your fingerprint.
When we talk online accounts, I’d count device+fingerprint as one factor. Sure, the maid from the example above can’t login into your gmail without your fingerprint, but most attacks are online. Your device sends a token to gmail, a cookie, a String; that’s like a password. One factor.
Technically, it’s slightly better than a password, because this token can be short-lived (although often it’s not), could be cryptographic signature to be used exactly once (although…), you cannot brute-force guess the token… But IF the token leaks, the attacker has full access (or enough to cause damage).
That’s why I would suggest an independent second factor, such as password. Yes, a password. Not for your daily routine (biometrics+device is much better), but maybe for high-risk operations.