As part of our ongoing quest to o̶b̶l̶i̶t̶e̶r̶a̶t̶e̶ ̶t̶h̶e̶ ̶p̶a̶s̶s̶w̶o̶r̶d̶ make a passwordless future a reality, Duo has turned heavily to biometrics as a convenient identity verification mechanism for future use with the WebAuthn protocol. Biometrics are great! They’re really convenient, and they can be really secure. However, some implementations are not, and it’s not always clear whether a given implementation is secure. In this article, we want to shed light on the various threats biometrics defend against. We’ll look at what properties of biometrics make them good or bad at defending against one threat but not another. We’ll then take a deeper look at different fingerprint, facial identification and vein scanning technologies, and what makes them strong or weak.