Re: "Microsoft", "cloud", "passwordless authentication"......................
“Passwordless” isn’t the same thing as biometrics. Biometrics data, like PINs, are just “gestures” for unlocking a security component such as a hardware FIDO2 token or Windows Hello (which may or may not be backed by a TPM), which among other things are engineered to resist brute-force attacks. The decision to accept or reject such a gesture is made locally. Unlike the password, no biometrics data or PIN is transmitted over the network.
Going passwordless essentially means that instead of passwords (which are often low-quality and reused), you’re now identified by a pair of public/private keys, and the private key is protected by a tamper-resistant token. If somebody steals your token, they _probably_ doesn’t have your PIN or biometrics to use it. You’ll have the opportunity to disassociate the token with your account or, if they try and fail too many (e.g., 5) times, the token will clear itself. Either way, the keypair is rendered useless.
Plus, nobody can guess your password—with or without your knowledge—if you don’t have a password in the first place.
You can argue that biometrics are fundamentally identifiers and are therefore unsuitable even as a way to locally unlock a security token. Actually PINs can get reused (and shoulder-surfed) as well. The point is these risks are much more manageable and eliminating passwords gives the user much more convenience and very often much better security.
Biting the hand that feeds IT
