Re: "Microsoft", "cloud", "passwordless authentication"......................
This is a different scenario - this is "something that you have", which is a different combination. However if you consider the "something that you have" scenario, consider chip+PIN - this is a combination of "something that you have", as in the physical card, as well as "something that you know", as in the PIN. This is considerably more secure than you just presenting your card and taking money out - although this is how contactless pretty much operates with the threat that sometimes we have to enter our PIN anyway and it does have the safety stop that the card may be stopped if reported stolen or lost.
Security is as secure as the least secure element in the chain. It doesn't matter if you have military grade security at every other step if one of the steps in the chain is a piece of string. Maybe a better example... :) you could have a very secure lock to your front door but if a copy of the key to the door is stored in a cheap'n'nasty "carer" or "emergency" key storage device, typically a combination lock, the overall security is not measured by the quality of your lock, it's measured by the security of the key storage device attached to your wall and the security and secrecy of the combination that is required to open it... or, typically enough, a small shim of metal as that's usually all it takes to open such locks. Biometrics is this combination lock - except it's worse as the combination may never be changed.
The biometrics that are the most issue are the entirely crap ones like face recognition or fingerprint... as in everything that the likes of Microsoft are pushing as being in some way "secure" or a replacement for a password. They do have their place, of course, like anything in security, but they are very far from any kind of solution on their own - they can enhance security when taken with other factors, but when used to replace other factors they reduce security.
Biting the hand that feeds IT
