You are just repeating a dogma, not explaining why it is not good to think of a fingerprint as a username.

It's not a username. It's a fingerprint.

Usernames are how we indicate an identity to a computer. (Note "an" identity; identities do not one-to-one map to humans.) Identity is what we are trying to establish in the first place; if we simply knew you were authorized to use an identity we wouldn't need auth in the first place. Having a matching fingerprint is evidence that an authorized user is authorized to use that identity. Knowing a username is not. They are not the same thing. Fingerprints are not perfect auth, but they are auth of a sort; usernames aren't auth at all.

>> Having a matching fingerprint is evidence that an authorized user is authorized to use that identity.

Considering that you leave your fingerprint everywhere you touch with your bare hands, is that really true?

There is a reason I chose the word "evidence" and not the word "proof". Yes, it is evidence. No, it is not proof.

Further note that possession of a password ("something you know") is also merely evidence, not proof. Also, "something you have" is not proof either; having a token is merely evidence, not proof. We have no method of proof. If that is the standard you are looking for, then I have some bad news: It is impossible to meet that standard. If we did have a direct method of proof-of-identity, we would not have to talk about evidence. We would simply use the proof.

Yes, it is possible to fool even a three-factor authentication system, with enough work. That's why its important to understand that security is not about absolutes; it's about raising the cost of penetrating the security above the value of the thing being protected. Which is also why fingerprint protection is just fine for rather a lot of iPhone users; what's the payback for cracking a fingerprint scanner, just to get access to a metaphorical Grandma's phone? If you are concerned that the value of what is on your phone exceeds the costs of penetrating the fingerprint scanner, then use more authentication. It's about costs & benefits, not absolutes.

Would someone care to explain how the observation that fingerprints are indeed a form of auth, but usernames are not (often they are fully, intentionally public information!) is false, and therefore the entire premise of the post's title is incorrect, with something other than the downvote button? I'd really like to hear the explanation of how that's not true.

>> what's the payback for cracking a fingerprint scanner, just to get access to a metaphorical Grandma's phone?

Well, if said Grandma is rich and is sharing dirty selfies with someone she doesn't want Grandpa to know about... being able to steal and use that information will probably be worth much more than the value of the phone itself.

By definition, if Grandma's phone contains high-value information, then it contains high value information. In that case, Grandma should take more steps to protect her high value information. Yes, if you just rewrite the premise to the question, the answer changes.

This is some really sloppy thinking you're engaging in here. Rewriting questions to obtain the desired answer is a very dangerous cognitive habit to get into.