The Safest Authentication Credentials
There are two categories of authentication credentials: one that is on your mind such as passwords, and the other that is off your mind such as your biometrics. Credentials that are on your mind can be guessed or brute forced; and those that are off your mind, can be duplicated or produced either by force or by killing you. Therefore, a combination of a strong passkey (password or passphrase) and your biometric information is the safest authentical credential one can have.
Imagine that your face is the key to unlock your device. This allows anyone to simply place the device in front of your face unknowing to you, or forcefully. One may argue that it is possible to build AI defence mechanisms in the face recognition algorithm such as detecting stress on the face and not unlocking or unlocking only when the face smiles, thus allowing further protection. Such defence mechanisms are easy to break with a 3D model of your face printed using a 3D printer.
Imagine that your fingerprints are the key to unlock your device. It is physically possible to take your hands, place your fingers on the device and unlock it. The Achilles' heel of any bio-metric authentication system is that the credentials can be produced with little force to unlock the devices.
Imagine that your biometrics are protecting your FIDO keys in your personal devices. Fido authentication seems to promising — it takes the inconvenience of maintaining strong and different passwords away from the user with its use of cryptographic keys. It does not send passwords from personal devices to the server, and yet the cryptographic keys in the personal device are protected by a passkey. If your biometrics are the passkey, your FIDO keys can be compromised by forcing or killing you. On the other hand, if passwords or passphrases are the passkey, you risk a brute force attack if the device is lost.
Implementing biometric security requires additional and costly hardware. To most users and in most systems, passwords or passphrases are still the best form of security if good password management is employed such as the use of strong passwords, password generators and managers.