I’m at contention on whether or not this is a good thing.
From my understanding of Biometrics, Schneier puts it best:
Biometrics are unique identifiers, but they’re not secrets.
People enjoy using biometrics to authenticate to systems. Like the little fingerprint reader on lots of laptops. I used it for a while on a laptop I had, because it saved me having to type anything to log on. Great for lazy people like me. I use TouchID with my iPhone as well, but mostly because I find typing complex passwords on touch screens a pain.
But, our fingerprints are everywhere. They’re (almost) unique, and they can’t be changed, so they make terrible keys.
On the other hand though, Biometrics are fantastic. I’d love to see them used more in everyday tech, for things like password resets or accessing secure areas of systems. They offer a form of Multi-Factor Authentication that doesn’t require some tool or item on your person.
The only way we’re going to get greater adoption of the technology is by it being more disseminated. Consumers need to accept it, and expect it. I’m at the point now where I expect new services to offer TOTP tokens or I’m annoyed at the service. Consumers will set the precedent, just like iPads being demanded by executives in their organisations.
But we also need to consider the privacy implications of biometrics. I need to be certain that services aren’t sharing my biometrics with other organisations for nefarious purposes. I need to be certain that attackers can’t breach their system and get copies of my biometrics to break into other services.
It’s a tough topic. It’ll be interesting to see what happens for the future if Microsoft can spread its usage further.