As people have difficulty using secure passwords, alternatives have been sought, with biometrics being hailed because they use peoples' natural uniqueness.
Biometrics seem to offer the solution to secure access because they are unique to each person, don't require remembering, and sensors built into devices means nothing has to be carried around that risks loss like with a USB key. Sounds good in theory, but because they have to measure peoples' characteristics, they require specialised hardware. Early efforts were found to be slow or easy to fool. As the technology has improved, they have become more accepted, but that improvement has had to blend multiple measurements to mitigate against fakes.
However, even if better accuracy and false positives are better rejected, the real problem may be in how they are stored. That is because the measurements have to be encoded into digital form, making them like a unique password, except that they cannot be changed. With the increasing incidences of hacked cloud databases, effectively having the same password to log into every system goes against the prevailing security wisdom.
Of course, passwords should be stored as salted hashes, but it only takes one instance of a database not using them to be hacked to permanently compromise those peoples' biometric signatures. That one hack could undo the whole chain of trust because it opens up a potential domino sequence of compromises across a whole lot of databases using that biometric.
How do we change our biometric password if we have to? We could encode the biometric in the sensing device and include a reset button to push to get a random new code, which is sort of what authentication apps and devices do. However, that would require a complex series of actions to update all sites relying upon the biometric, which would certainly lead to errors by most people, with lockouts being the most likely result.
It seems that best situations to use biometrics is for local device access only, which could provide access to a password manager that then provides the actual long secure password – automatically or manually generated – for a site or connected system. That keeps the distribution of the biometric solely to one's personal devices, but allows changing passwords that have been compromised.