@da_667 (Similar stance on the use of biometrics (it's generally a bad idea as the primary/only factor), just clarifying how "windows hello" hardware uses them)

With the design of windows hello, the biometrics themselves stay entirely on-device inside the fingerprint reader (much like apple's fingerprint stuff in the secure enclave) even for online auth. Think "a yubikey with a fingerprint reader instead of a button" for a mostly-accurate model of modern fingerprint readers. And at least in theory, modern ones don't even expose the biometric data to the OS, only a pass/fail or "detected known finger" with all the matching in-device (vs the old ones that did all the matching in a userland driver)

Of course, that doesn't mean that the fingerprint readers can't or don't expose that data to the OS, just that they shouldn't per the published specs, hence why biometric authentication is still sketchy as hell unless you seriously trust the reader vendor to not include secret 'debug commands'...

@da_667 I think about this a lot, but lack the expertise to really drill into it and haven't yet.

I really don't like the idea of my fingerprints being exposed, or the data extrapolated from them being exposed.

I know my shit is likely already out there in the hands of AT LEAST the Chinese, because lol former Army, but still...