Let’s start with a smartphone. A user creates an account with a passkey for a service, that passkey gets stored on their smartphone, and they can use biometrics to sign in from then on. The private key is stored on the smartphone. Great.
But then how do you sign into that same service from a different device?
If it’s by using a password manager, some third party piece of software, How do you sign in on a device where you’re not allowed to install third party software?
Sounds much safer than biometrics.
Definitely. Costs extra, has an extra step to set up, and has an extra step to use, but is so much more secure.
That said, biometrics are better than “1234”. I have no issues with people who have bad password hygiene moving to biometrics, which at least add an extra barrier for account compromise.
But for the rest of us, physical security tokens are definitely the way to go.