security and privacy properties of biometrics unstated or confused

[npdoty]

The draft seems to indicate biometrics as easy-to-use, reliable and hard-to-defeat authenticators and a promising approach for online CAPTCHAs.

While anonymity is briefly noted as a concern, I'm not sure it's adequately described. Allowing access to biometric identifiers as authentication mechanisms over the Web is not currently supported and would involve enormous privacy risks given their permanent nature and global scope. Users would be revealing far more about themselves than a proof of their humanness and the liability risk taken on by the online party that's collecting large numbers of biometrics would be substantial. Permanent unique identifiers would frustrate those interested in anonymity online, but it would also have many other privacy risks for users.

The described security properties also seem overly optimistic. Many biometrics like fingerprints are left everywhere you go and on everything you touch. Furthermore, they can't be changed when that data is breached. For those reasons, biometrics are more appropriately considered usernames, rather than passwords, and are often more useful as an alternative factor for local device authentication. As identifiers, they don't seem especially well-targeted to the CAPTCHA use case: an attacker could come up with, or even generate, lots of fingerprints if they wanted to.

[samuelweiler]

Common biometric systems today (e.g. Android login) have the biometric data stored and checked on the device. I don't see how such architectures help as a CAPTCHA. Section 3.3 needs a rewrite.