Touch ID and other biometrics are enforced locally.
The device is first enrolled, the website gives the device a secret value which the device can put in its secure element. When needing to authenticate again the device checks biometrics locally and if correct then the secure element releases the secret value which is then either passed onto the website or used as part of a challenge-response authentication.
This means if you lose or reset your device you can't get back in despite having the right biometrics.
Yes, that's a security feature. It's also true for Google Authenticator, by design. You cannot officially back up/share codes because of the potential vulnerabilities that a backup would open up.
Yubikey has the same problem you describe. If your key stops working, you'd also be locked out. Yubikeys can spontaneously stop working in my experience.
To mitigate this, sites like login.gov allow you to add multiple devices, so you can have it on e.g. your laptop and your phone, and yubikeys if you'd like. I generally do all three for important sites (or multiple Yubikey when touchID is not offered).
Anyway, my point is that offering TouchID makes a more secure 2FA very, very convenient for the average person. I'm just surprised more developers haven't offered it even though it's been in Chrome for a couple years.
Even login.gov supports it!
https://www.slashgear.com/chrome-is-adding-touch-id-and-fing...
reply